Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled â€œGNU Free Documentation Licenseâ€.

About

OpenOCD was created by Dominic Rath as part of a diploma thesis written at the University of Applied Sciences Augsburg (http://www.fh-augsburg.de). Since that time, the project has grown into an active open-source project, supported by a diverse community of software and hardware developers from around the world.

0.1 What is OpenOCD?

It does so with the assistance of a debug adapter, which is a small hardware module which helps provide the right kind of electrical signaling to the target being debugged. These are required since the debug host (on which OpenOCD runs) wonâ€™t usually have native support for such signaling, or the connector needed to hook up to the target.

Such debug adapters support one or more transport protocols, each of which involves different electrical signaling (and uses different messaging protocols on top of that signaling). There are many types of debug adapter, and little uniformity in what they are called. (There are also product naming differences.)

These adapters are sometimes packaged as discrete dongles, which may generically be called hardware interface dongles. Some development boards also integrate them directly, which may let the development board can be directly connected to the debug host over USB (and sometimes also to power it over USB).

For example, a JTAG Adapter supports JTAG signaling, and is used to communicate with JTAG (IEEE 1149.1) compliant TAPs on your target board. A TAP is a â€œTest Access Portâ€, a module which processes special instructions and data. TAPs are daisy-chained within and between chips and boards. JTAG supports debugging and boundary scan operations.

There are also SWD Adapters that support Serial Wire Debug (SWD) signaling to communicate with some newer ARM cores, as well as debug adapters which support both JTAG and SWD transports. SWD only supports debugging, whereas JTAG also supports boundary scan operations.

For some chips, there are also Programming Adapters supporting special transports used only to write code to flash memory, without support for on-chip debugging or boundary scan. (At this writing, OpenOCD does not support such non-debug adapters.)

0.4 OpenOCD Userâ€™s Forum

There is an OpenOCD forum (phpBB) hosted by SparkFun, which might be helpful to you. Note that if you want anything to come to the attention of developers, you should post it to the OpenOCD Developer Mailing List instead of this forum.

1. OpenOCD Developer Resources

If you are interested in improving the state of OpenOCDâ€™s debugging and testing support, new contributions will be welcome. Motivated developers can produce new target, flash or interface drivers, improve the documentation, as well as more conventional bug fixes and enhancements.

The resources in this chapter are available for developers wishing to explore or expand the OpenOCD source code.

With standard GIT tools, use git clone to initialize a local repository, and git pull to update it. There are also gitweb pages letting you browse the repository with a web browser, or download arbitrary snapshots without needing a GIT client:

The â€˜READMEâ€™ file contains the instructions for building the project from the repository or a snapshot.

Developers that want to contribute patches to the OpenOCD system are strongly encouraged to work against mainline. Patches created against older versions may require additional work from their submitter in order to be updated for newer releases.

1.2 Doxygen Developer Manual

During the 0.2.x release cycle, the OpenOCD project began providing a Doxygen reference manual. This document contains more technical information about the software internals, development processes, and similar documentation:

This document is a work-in-progress, but contributions would be welcome to fill in the gaps. All of the source files are provided in-tree, listed in the Doxyfile configuration in the top of the source tree.

2. Debug Adapter Hardware

Defined: dongle: A small device that plugins into a computer and serves as an adapter .... [snip]

In the OpenOCD case, this generally refers to a small adapter that attaches to your computer via USB or the Parallel Printer Port. One exception is the Zylin ZY1000, packaged as a small box you attach via an ethernet cable. The Zylin ZY1000 has the advantage that it does not require any drivers to be installed on the developer PC. It also has a built in web interface. It supports RTCK/RCLK or adaptive clocking and has a built in relay to power cycle targets remotely.

2.3 USB FT2232 Based

There are many USB JTAG dongles on the market, many of them are based on a chip from â€œFuture Technology Devices Internationalâ€ (FTDI) known as the FTDI FT2232; this is a USB full speed (12 Mbps) chip. See: http://www.ftdichip.com for more information. In summer 2009, USB high speed (480 Mbps) versions of these FTDI chips are starting to become available in JTAG adapters. (Adapters using those high speed FT2232H chips may support adaptive clocking.)

The FT2232 chips are flexible enough to support some other transport options, such as SWD or the SPI variants used to program some chips. They have two communications channels, and one can be used for a UART adapter at the same time the other one is used to provide a debug adapter.

Also, some development boards integrate an FT2232 chip to serve as a built-in low cost debug adapter and usb-to-serial solution.

Stellaris Eval Boards See: http://www.luminarymicro.com - The Stellaris eval boards bundle FT2232-based JTAG and SWD support, which can be used to debug the Stellaris chips. Using separate JTAG adapters is optional. These boards can also be used in a "pass through" mode as JTAG adapters to other target boards, disabling the Stellaris chip.

Luminary ICDI See: http://www.luminarymicro.com - Luminary In-Circuit Debug Interface (ICDI) Boards are included in Stellaris LM3S9B9x Evaluation Kits. Like the non-detachable FT2232 support on the other Stellaris eval boards, they can be used to debug other target boards.

2.4 USB-JTAG / Altera USB-Blaster compatibles

These devices also show up as FTDI devices, but are not protocol-compatible with the FT2232 devices. They are, however, protocol-compatible among themselves. USB-JTAG devices typically consist of a FT245 followed by a CPLD that understands a particular protocol, or emulate this protocol using some other hardware.

They may appear under different USB VID/PID depending on the particular product. The driver can be configured to search for any VID/PID pair (see the section on driver commands).

2.6 USB RLINK based

Raisonance has an adapter called RLink. It exists in a stripped-down form on the STM32 Primer, permanently attached to the JTAG lines. It also exists on the STM32 Primer2, but that is wired for SWD and not JTAG, thus not supported.

For info the original ST-LINK enumerates using the mass storage usb class, however itâ€™s implementation is completely broken. The result is this causes issues under linux. The simplest solution is to get linux to ignore the ST-LINK using one of the following methods:

3. About Jim-Tcl

OpenOCD uses a small â€œTcl Interpreterâ€ known as Jim-Tcl. This programming language provides a simple and extensible command interpreter.

All commands presented in this Guide are extensions to Jim-Tcl. You can use them as simple commands, without needing to learn much of anything about Tcl. Alternatively, can write Tcl programs with them.

You can learn more about Jim at its website, http://jim.berlios.de. There is an active and responsive community, get on the mailing list if you have any questions. Jim-Tcl maintainers also lurk on the OpenOCD mailing list.

Jim vs. Tcl Jim-Tcl is a stripped down version of the well known Tcl language, which can be found here: http://www.tcl.tk. Jim-Tcl has far fewer features. Jim-Tcl is several dozens of .C files and .H files and implements the basic Tcl command set. In contrast: Tcl 8.6 is a 4.2 MB .zip file containing 1540 files.

Missing Features Our practice has been: Add/clone the real Tcl feature if/when needed. We welcome Jim-Tcl improvements, not bloat. Also there are a large number of optional Jim-Tcl features that are not enabled in OpenOCD.

Commands At the OpenOCD telnet command line (or via the GDB monitor command) one can type a Tcl for() loop, set variables, etc. Some of the commands documented in this guide are implemented as Tcl scripts, from a â€˜startup.tclâ€™ file internal to the server.

Historical Note Jim-Tcl was introduced to OpenOCD in spring 2008. Fall 2010, before OpenOCD 0.5 release OpenOCD switched to using Jim Tcl as a git submodule, which greatly simplified upgrading Jim Tcl to benefit from new features and bugfixes in Jim Tcl.

4. Running

Properly installing OpenOCD sets up your operating system to grant it access to the debug adapters. On Linux, this usually involves installing a file in â€˜/etc/udev/rules.d,â€™ so OpenOCD has permissions. MS-Windows needs complex and confusing driver configuration for every peripheral. Such issues are unique to each operating system, and are not detailed in this Userâ€™s Guide.

Then later you will invoke the OpenOCD server, with various options to tell it how each debug session should work. The â€˜--helpâ€™ option shows:

If you donâ€™t give any â€˜-fâ€™ or â€˜-câ€™ options, OpenOCD tries to read the configuration file â€˜openocd.cfgâ€™. To specify one or more different configuration files, use â€˜-fâ€™ options. For example:

openocd -f config1.cfg -f config2.cfg -f config3.cfg

Configuration files and scripts are searched for in

the current directory,

any search dir specified on the command line using the â€˜-sâ€™ option,

any search dir specified using the add_script_search_dir command,

â€˜$HOME/.openocdâ€™ (not on Windows),

the site wide script library â€˜$pkgdatadir/siteâ€™ and

the OpenOCD-supplied script library â€˜$pkgdatadir/scriptsâ€™.

The first found file with a matching file name will be used.

Note: Donâ€™t try to use configuration script names or paths which include the "#" character. That character begins Tcl comments.

4.1 Simple setup, no customization

In the best case, you can use two scripts from one of the script libraries, hook up your JTAG adapter, and start the server ... and your JTAG setup will just work "out of the box". Always try to start by reusing those scripts, but assume youâ€™ll need more customization even if this works. See section [#OpenOCD-Project-Setup OpenOCD Project Setup].

If you find a script for your JTAG adapter, and for your board or target, you may be able to hook up your JTAG adapter then start the server like:

openocd -f interface/ADAPTER.cfg -f board/MYBOARD.cfg

You might also need to configure which reset signals are present, using â€˜-c 'reset_config trst_and_srst'â€™ or something similar. If all goes well youâ€™ll see output something like

4.2 What OpenOCD does as it starts

OpenOCD starts by processing the configuration commands provided on the command line or, if there were no â€˜-c commandâ€™ or â€˜-f file.cfgâ€™ options given, in â€˜openocd.cfgâ€™. See [#Configuration-Stage Configuration Stage]. At the end of the configuration stage it verifies the JTAG scan chain defined using those commands; your configuration should ensure that this always succeeds. Normally, OpenOCD then starts running as a daemon. Alternatively, commands may be used to terminate the configuration stage early, perform work (such as updating some flash memory), and then shut down without acting as a daemon.

Once OpenOCD starts running as a daemon, it waits for connections from clients (Telnet, GDB, Other) and processes the commands issued through those channels.

If you are having problems, you can enable internal debug messages via the â€˜-dâ€™ option.

Also it is possible to interleave Jim-Tcl commands w/config scripts using the â€˜-câ€™ command line switch.

To enable debug output (when reporting problems or working on OpenOCD itself), use the â€˜-dâ€™ command line switch. This sets the â€˜debug_levelâ€™ to "3", outputting the most information, including debug messages. The default setting is "2", outputting only informational messages, warnings and errors. You can also change this setting from within a telnet or gdb session using debug_level <n> (see [#debug_005flevel debug_level]).

You can redirect all output from the daemon to a file using the â€˜-l <logfile>â€™ switch.

Note! OpenOCD will launch the GDB & telnet server even if it can not establish a connection with the target. In general, it is possible for the JTAG controller to be unresponsive until the target is set up correctly via e.g. GDB monitor commands in a GDB init script.

5. OpenOCD Project Setup

To use OpenOCD with your development projects, you need to do more than just connecting the JTAG adapter hardware (dongle) to your development board and then starting the OpenOCD server. You also need to configure that server so that it knows about that adapter and board, and helps your work. You may also want to connect OpenOCD to GDB, possibly using Eclipse or some other GUI.

5.1 Hooking up the JTAG Adapter

Todayâ€™s most common case is a dongle with a JTAG cable on one side (such as a ribbon cable with a 10-pin or 20-pin IDC connector) and a USB cable on the other. Instead of USB, some cables use Ethernet; older ones may use a PC parallel port, or even a serial port.

Start with power to your target board turned off, and nothing connected to your JTAG adapter. If youâ€™re particularly paranoid, unplug power to the board. Itâ€™s important to have the ground signal properly set up, unless you are using a JTAG adapter which provides galvanic isolation between the target board and the debugging host.

Be sure itâ€™s the right kind of JTAG connector. If your dongle has a 20-pin ARM connector, you need some kind of adapter (or octopus, see below) to hook it up to boards using 14-pin or 10-pin connectors ... or to 20-pin connectors which donâ€™t use ARMâ€™s pinout.

In the same vein, make sure the voltage levels are compatible. Not all JTAG adapters have the level shifters needed to work with 1.2 Volt boards.

Be certain the cable is properly oriented or you might damage your board. In most cases there are only two possible ways to connect the cable. Connect the JTAG cable from your adapter to the board. Be sure itâ€™s firmly connected.

In the best case, the connector is keyed to physically prevent you from inserting it wrong. This is most often done using a slot on the boardâ€™s male connector housing, which must match a key on the JTAG cableâ€™s female connector. If thereâ€™s no housing, then you must look carefully and make sure pin 1 on the cable hooks up to pin 1 on the board. Ribbon cables are frequently all grey except for a wire on one edge, which is red. The red wire is pin 1.
Sometimes dongles provide cables where one end is an â€œoctopusâ€ of color coded single-wire connectors, instead of a connector block. These are great when converting from one JTAG pinout to another, but are tedious to set up. Use these with connector pinout diagrams to help you match up the adapter signals to the right board pins.

Connect the adapterâ€™s other end once the JTAG cable is connected. A USB, parallel, or serial port connector will go to the host which you are using to run OpenOCD. For Ethernet, consult the documentation and your network administrator.

For USB based JTAG adapters you have an easy sanity check at this point: does the host operating system see the JTAG adapter? If that host is an MS-Windows host, youâ€™ll need to install a driver before OpenOCD works.

Connect the adapterâ€™s power supply, if needed. This step is primarily for non-USB adapters, but sometimes USB adapters need extra power.

Power up the target board. Unless you just let the magic smoke escape, youâ€™re now ready to set up the OpenOCD server so you can use JTAG to work with that board.

Talk with the OpenOCD server using telnet (telnet localhost 4444 on many systems) or GDB. See section [#GDB-and-OpenOCD GDB and OpenOCD].

5.2 Project Directory

There are many ways you can configure OpenOCD and start it up.

A simple way to organize them all involves keeping a single directory for your work with a given board. When you start OpenOCD from that directory, it searches there first for configuration files, scripts, files accessed through semihosting, and for code you upload to the target board. It is also the natural place to write files, such as log files and data you download from the board.

You could wrap such long command lines in shell scripts, each supporting a different development task. One might re-flash the board with a specific firmware version. Another might set up a particular debugging or run-time environment.

Important: At this writing (October 2009) the command line method has problems with how it treats variables. For example, after â€˜-c "set VAR value"â€™, or doing the same in a script, the variable VAR will have no value that can be tested in a later script.

Here we will focus on the simpler solution: one user config file, including basic configuration plus any TCL procedures to simplify your work.

5.4 User Config Files

A user configuration file ties together all the parts of a project in one place. One of the following will match your situation best:

Ideally almost everything comes from configuration files provided by someone else. For example, OpenOCD distributes a â€˜scriptsâ€™ directory (probably in â€˜/usr/share/openocd/scriptsâ€™ on Linux). Board and tool vendors can provide these too, as can individual user sites; the â€˜-sâ€™ command line option lets you say where to find these files. (See section [#Running Running].) The AT91SAM7X256 example above works this way.

Three main types of non-user configuration file each have their own subdirectory in the â€˜scriptsâ€™ directory:

interface â€“ one for each different debug adapter;

board â€“ one for each different board

target â€“ the chips which integrate CPUs and other JTAG TAPs

Best case: include just two files, and they handle everything else. The first is an interface config file. The second is board-specific, and it sets up the JTAG TAPs and their GDB targets (by deferring to some â€˜target.cfgâ€™ file), declares all flash memory, and leaves you nothing to do except meet your deadline:

Boards with a single microcontroller often wonâ€™t need more than the target config file, as in the AT91SAM7X256 example. Thatâ€™s because there is no external memory (flash, DDR RAM), and the board differences are encapsulated by application code.

Maybe you donâ€™t know yet what your board looks like to JTAG. Once you know the â€˜interface.cfgâ€™ file to use, you may need help from OpenOCD to discover whatâ€™s on the board. Once you find the JTAG TAPs, you can just search for appropriate target and board configuration files ... or write your own, from the bottom up. See [#Autoprobing Autoprobing].

You can often reuse some standard config files but need to write a few new ones, probably a â€˜board.cfgâ€™ file. You will be using commands described later in this Userâ€™s Guide, and working with the guidelines in the next chapter.

For example, there may be configuration files for your JTAG adapter and target chip, but you need a new board-specific config file giving access to your particular flash chips. Or you might need to write another target chip configuration file for a new chip built around the Cortex M3 core.

Note: When you write new configuration files, please submit them for inclusion in the next OpenOCD release. For example, a â€˜board/newboard.cfgâ€™ file will help the next users of that board, and a â€˜target/newcpu.cfgâ€™ will help support users of any board using that chip.

You may may need to write some C code. It may be as simple as a supporting a new ft2232 or parport based adapter; a bit more involved, like a NAND or NOR flash controller driver; or a big piece of work like supporting a new chip architecture.

Reuse the existing config files when you can. Look first in the â€˜scripts/boardsâ€™ area, then â€˜scripts/targetsâ€™. You may find a board configuration thatâ€™s a good example to follow.

When you write config files, separate the reusable parts (things every user of that interface, chip, or board needs) from ones specific to your environment and debugging approach.

For example, a gdb-attach event handler that invokes the reset init command will interfere with debugging early boot code, which performs some of the same actions that the reset-init event handler does.

Likewise, the arm9 vector_catch command (or its siblings xscale vector_catch and cortex_m3 vector_catch) can be a timesaver during some debug sessions, but donâ€™t make everyone use that either. Keep those kinds of debugging aids in your user config file, along with messaging and tracing setup. (See [#Software-Debug-Messages-and-Tracing Software Debug Messages and Tracing].)

You might need to override some defaults. For example, you might need to move, shrink, or back up the targetâ€™s work area if your application needs much SRAM.

TCP/IP port configuration is another example of something which is environment-specific, and should only appear in a user config file. See [#TCP_002fIP-Ports TCP/IP Ports].

5.5 Project-Specific Utilities

A few project-specific utility routines may well speed up your work. Write them, and keep them in your projectâ€™s user config file.

For example, if you are making a boot loader work on a board, itâ€™s nice to be able to debug the â€œafter itâ€™s loaded to RAMâ€ parts separately from the finicky early code which sets up the DDR RAM controller and clocks. A script like this one, or a more GDB-aware sibling, may help:

Then once that code is working you will need to make it boot from NOR flash; a different utility would help. Alternatively, some developers write to flash using GDB. (You might use a similar script if youâ€™re working with a flash based microcontroller application instead of a boot loader.)

proc newboot { } {
# Reset, leaving the CPU halted. The "reset-init" event
# proc gives faster access to the CPU and to NOR flash;
# "reset halt" would be slower.
reset init
# Write standard version of U-Boot into the first two
# sectors of NOR flash ... the standard version should
# do the same lowlevel init as "reset-init".
flash protect 0 0 1 off
flash erase_sector 0 0 1
flash write_bank 0 u-boot.bin 0x0
flash protect 0 0 1 on
# Reboot from scratch using that new boot loader.
reset run
}

You may need more complicated utility procedures when booting from NAND. That often involves an extra bootloader stage, running from on-chip SRAM to perform DDR RAM setup so it can load the main bootloader code (which wonâ€™t fit into that SRAM).

Other helper scripts might be used to write production system images, involving considerably more than just a three stage bootloader.

5.6 Target Software Changes

Sometimes you may want to make some small changes to the software youâ€™re developing, to help make JTAG debugging work better. For example, in C or assembly language code you might use #ifdef JTAG_DEBUG (or its converse) around code handling issues like:

Watchdog Timers... Watchog timers are typically used to automatically reset systems if some application task doesnâ€™t periodically reset the timer. (The assumption is that the system has locked up if the task canâ€™t run.) When a JTAG debugger halts the system, that task wonâ€™t be able to run and reset the timer ... potentially causing resets in the middle of your debug sessions.

Itâ€™s rarely a good idea to disable such watchdogs, since their usage needs to be debugged just like all other parts of your firmware. That might however be your only option.
Look instead for chip-specific ways to stop the watchdog from counting while the system is in a debug halt state. It may be simplest to set that non-counting mode in your debugger startup scripts. You may however need a different approach when, for example, a motor could be physically damaged by firmware remaining inactive in a debug halt state. That might involve a type of firmware mode where that "non-counting" mode is disabled at the beginning then re-enabled at the end; a watchdog reset might fire and complicate the debug session, but hardware (or people) would be protected.[#FOOT1 (1)]

ARM Semihosting... When linked with a special runtime library provided with many toolchains[#FOOT2 (2)], your target code can use I/O facilities on the debug host. That library provides a small set of system calls which are handled by OpenOCD. It can let the debugger provide your system console and a file system, helping with early debugging or providing a more capable environment for sometimes-complex tasks like installing system firmware onto NAND or SPI flash.

ARM Wait-For-Interrupt... Many ARM chips synchronize the JTAG clock using the core clock. Low power states which stop that core clock thus prevent JTAG access. Idle loops in tasking environments often enter those low power states via the WFI instruction (or its coprocessor equivalent, before ARMv7).

You may want to disable that instruction in source code, or otherwise prevent using that state, to ensure you can get JTAG access at any time.[#FOOT3 (3)] For example, the OpenOCD halt command may not work for an idle processor otherwise.

Delay after reset... Not all chips have good support for debugger access right after reset; many LPC2xxx chips have issues here. Similarly, applications that reconfigure pins used for JTAG access as they start will also block debugger access.

To work with boards like this, enable a short delay loop the first thing after reset, before "real" startup activities. For example, one secondâ€™s delay is usually more than enough time for a JTAG debugger to attach, so that early code execution can be debugged or firmware can be replaced.

Debug Communications Channel (DCC)... Some processors include mechanisms to send messages over JTAG. Many ARM cores support these, as do some cores from other vendors. (OpenOCD may be able to use this DCC internally, speeding up some operations like writing to memory.)

Your application may want to deliver various debugging messages over JTAG, by linking with a small library of code provided with OpenOCD and using the utilities there to send various kinds of message. See [#Software-Debug-Messages-and-Tracing Software Debug Messages and Tracing].

5.7 Target Hardware Setup

Chip vendors often provide software development boards which are highly configurable, so that they can support all options that product boards may require. Make sure that any jumpers or switches match the system configuration you are working with.

Common issues include:

JTAG setup ... Boards may support more than one JTAG configuration. Examples include jumpers controlling pullups versus pulldowns on the nTRST and/or nSRST signals, and choice of connectors (e.g. which of two headers on the base board, or one from a daughtercard). For some Texas Instruments boards, you may need to jumper the EMU0 and EMU1 signals (which OpenOCD wonâ€™t currently control).

Boot Modes ... Complex chips often support multiple boot modes, controlled by external jumpers. Make sure this is set up correctly. For example many i.MX boards from NXP need to be jumpered to "ATX mode" to start booting using the on-chip ROM, when using second stage bootloader code stored in a NAND flash chip.

Such explicit configuration is common, and not limited to booting from NAND. You might also need to set jumpers to start booting using code loaded from an MMC/SD card; external SPI flash; Ethernet, UART, or USB links; NOR flash; OneNAND flash; some external host; or various other sources.

Memory Addressing ... Boards which support multiple boot modes may also have jumpers to configure memory addressing. One board, for example, jumpers external chipselect 0 (used for booting) to address either a large SRAM (which must be pre-loaded via JTAG), NOR flash, or NAND flash. When itâ€™s jumpered to address NAND flash, that board must also be told to start booting from on-chip ROM.

Your â€˜board.cfgâ€™ file may also need to be told this jumper configuration, so that it can know whether to declare NOR flash using flash bank or instead declare NAND flash with nand device; and likewise which probe to perform in its reset-init handler.
A closely related issue is bus width. Jumpers might need to distinguish between 8 bit or 16 bit bus access for the flash used to start booting.

Peripheral Access ... Development boards generally provide access to every peripheral on the chip, sometimes in multiple modes (such as by providing multiple audio codec chips). This interacts with software configuration of pin multiplexing, where for example a given pin may be routed either to the MMC/SD controller or the GPIO controller. It also often interacts with configuration jumpers. One jumper may be used to route signals to an MMC/SD card slot or an expansion bus (which might in turn affect booting); others might control which audio or video codecs are used.

Plus you should of course have reset-init event handlers which set up the hardware to match that jumper configuration. That includes in particular any oscillator or PLL used to clock the CPU, and any memory controllers needed to access external memory and peripherals. Without such handlers, you wonâ€™t be able to access those resources without working target firmware which can do that setup ... this can be awkward when youâ€™re trying to debug that target firmware. Even if thereâ€™s a ROM bootloader which handles a few issues, it rarely provides full access to all board-specific capabilities.

6. Config File Guidelines

This chapter is aimed at any user who needs to write a config file, including developers and integrators of OpenOCD and any user who needs to get a new board working smoothly. It provides guidelines for creating those files.

You should find the following directories under $(INSTALLDIR)/scripts, with files including the ones listed here. Use them as-is where you can; or as models for new files.

â€˜boardâ€™ ... think Circuit Board, PWA, PCB, they go by many names. Board files contain initialization items that are specific to a board. They reuse target configuration files, since the same microprocessor chips are used on many boards, but support for external parts varies widely. For example, the SDRAM initialization sequence for the board, or the type of external flash and what address it uses. Any initialization sequence to enable that external flash or SDRAM should be found in the board file. Boards may also contain multiple targets: two CPUs; or a CPU and an FPGA.

â€˜targetâ€™ ... think chip. The â€œtargetâ€ directory represents the JTAG TAPs on a chip which OpenOCD should control, not a board. Two common types of targets are ARM chips and FPGA or CPLD chips. When a chip has multiple TAPs (maybe it has both ARM and DSP cores), the target config file defines all of them.

6.1 Interface Config Files

The user config file should be able to source one of these files with a command like this:

source [find interface/FOOBAR.cfg]

A preconfigured interface file should exist for every debug adapter in use today with OpenOCD. That said, perhaps some of these config files have only been used by the developer who created it.

A separate chapter gives information about how to set these up. See section [#Debug-Adapter-Configuration Debug Adapter Configuration]. Read the OpenOCD source code (and Developerâ€™s Guide) if you have a new kind of hardware interface and need to provide a driver for it.

6.2.1 Communication Between Config files

In addition to target-specific utility code, another way that board and target config files communicate is by following a convention on how to use certain variables.

The full Tcl/Tk language supports â€œnamespacesâ€, but Jim-Tcl does not. Thus the rule we follow in OpenOCD is this: Variables that begin with a leading underscore are temporary in nature, and can be modified and used at will within a target configuration file.

Complex board config files can do the things like this, for a board with three chips:

That example is oversimplified because it doesnâ€™t show any flash memory, or the reset-init event handlers to initialize external DRAM or (assuming it needs it) load a configuration into the FPGA. Such features are usually needed for low-level work with many boards, where â€œlow levelâ€ implies that the board initialization software may not be working. (Thatâ€™s a common reason to need JTAG tools. Another is to enable working with microcontroller-based systems, which often have no debugging support except a JTAG connector.)

Target config files may also export utility functions to board and user config files. Such functions should use name prefixes, to help avoid naming collisions.

Board files could also accept input variables from user config files. For example, there might be a J4_JUMPER setting used to identify what kind of flash memory a development board is using, or how to set up other clocks and peripherals.

6.2.2 Variable Naming Convention

Most boards have only one instance of a chip. However, it should be easy to create a board with more than one such chip (as shown above). Accordingly, we encourage these conventions for naming variables associated with different â€˜target.cfgâ€™ files, to promote consistency and so that board files can override target defaults.

Inputs to target config files include:

CHIPNAME ... This gives a name to the overall chip, and is used as part of tap identifier dotted names. While the default is normally provided by the chip manufacturer, board files may need to distinguish between instances of a chip.

ENDIAN ... By default â€˜littleâ€™ - although chips may hard-wire â€˜bigâ€™. Chips that canâ€™t change endianness donâ€™t need to use this variable.

CPUTAPID ... When OpenOCD examines the JTAG chain, it can be told verify the chips against the JTAG IDCODE register. The target file will hold one or more defaults, but sometimes the chip in a board will use a different ID (perhaps a newer revision).

Outputs from target config files include:

_TARGETNAME ... By convention, this variable is created by the target configuration script. The board configuration file may make use of this variable to configure things like a â€œreset initâ€ script, or other things specific to that board and that target. If the chip has 2 targets, the names are _TARGETNAME0, _TARGETNAME1, ... etc.

6.2.3 The reset-init Event Handler

Board config files run in the OpenOCD configuration stage; they canâ€™t use TAPs or targets, since they havenâ€™t been fully set up yet. This means you canâ€™t write memory or access chip registers; you canâ€™t even verify that a flash chip is present. Thatâ€™s done later in event handlers, of which the target reset-init handler is one of the most important.

Except on microcontrollers, the basic job of reset-init event handlers is setting up flash and DRAM, as normally handled by boot loaders. Microcontrollers rarely use boot loaders; they run right out of their on-chip flash and SRAM memory. But they may want to use one of these handlers too, if just for developer convenience.

Note: Because this is so very board-specific, and chip-specific, no examples are included here. Instead, look at the board config files distributed with OpenOCD. If you have a boot loader, its source code will help; so will configuration files for other JTAG tools (see [#Translating-Configuration-Files Translating Configuration Files]).

Some of this code could probably be shared between different boards. For example, setting up a DRAM controller often doesnâ€™t differ by much except the bus width (16 bits or 32?) and memory timings, so a reusable TCL procedure loaded by the â€˜target.cfgâ€™ file might take those as parameters. Similarly with oscillator, PLL, and clock setup; and disabling the watchdog. Structure the code cleanly, and provide comments to help the next developer doing such work. (You might be that next person trying to reuse init code!)

The last thing normally done in a reset-init handler is probing whatever flash memory was configured. For most chips that needs to be done while the associated target is halted, either because JTAG memory access uses the CPU or to prevent conflicting CPU access.

6.2.4 JTAG Clock Rate

Before your reset-init handler has set up the PLLs and clocking, you may need to run with a low JTAG clock rate. See [#JTAG-Speed JTAG Speed]. Then youâ€™d increase that rate after your handler has made it possible to use the faster JTAG clock. When the initial low speed is board-specific, for example because it depends on a board-specific oscillator speed, then you should probably set it up in the board config file; if itâ€™s target-specific, it belongs in the target config file.

For most ARM-based processors the fastest JTAG clock[#FOOT4 (4)] is one sixth of the CPU clock; or one eighth for ARM11 cores. Consult chip documentation to determine the peak JTAG clock rate, which might be less than that.

Warning: On most ARMs, JTAG clock detection is coupled to the core clock, so software using a â€˜wait for interruptâ€™ operation blocks JTAG access. Adaptive clocking provides a partial workaround, but a more complete solution just avoids using that instruction with JTAG debuggers.

If both the chip and the board support adaptive clocking, use the jtag_rclk command, in case your board is used with JTAG adapter which also supports it. Otherwise use adapter_khz. Set the slow rate at the beginning of the reset sequence, and the faster rate as soon as the clocks are at full speed.

6.2.5 The init_board procedure

The concept of init_board procedure is very similar to init_targets (See [#The-init_005ftargets-procedure The init_targets procedure].) - itâ€™s a replacement of â€œlinearâ€ configuration scripts. This procedure is meant to be executed when OpenOCD enters run stage (See [#Entering-the-Run-Stage Entering the Run Stage],) after init_targets. The idea to have spearate init_targets and init_board procedures is to allow the first one to configure everything target specific (internal flash, internal RAM, etc.) and the second one to configure everything board specific (reset signals, chip frequency, reset-init event handler, external memory, etc.). Additionally â€œlinearâ€ board config file will most likely fail when target config file uses init_targets scheme (â€œlinearâ€ script is executed before init and init_targets - after), so separating these two configuration stages is very convenient, as the easiest way to overcome this problem is to convert board config file to use init_board procedure. Board config scripts donâ€™t need to override init_targets defined in target config files when they only need to to add some specifics.

Just as init_targets, the init_board procedure can be overriden by â€œnext levelâ€ script (which sources the original), allowing greater code reuse.

6.3 Target Config Files

Board config files communicate with target config files using naming conventions as described above, and may source one or more target config files like this:

source [find target/FOOBAR.cfg]

The point of a target config file is to package everything about a given chip that board config files need to know. In summary the target files should contain

Set defaults

Add TAPs to the scan chain

Add CPU targets (includes GDB support)

CPU/Chip/CPU-Core specific features

On-Chip flash

As a rule of thumb, a target file sets up only one chip. For a microcontroller, that will often include a single TAP, which is a CPU needing a GDB target, and its on-chip flash.

More complex chips may include multiple TAPs, and the target config file may need to define them all before OpenOCD can talk to the chip. For example, some phone chips have JTAG scan chains that include an ARM core for operating system use, a DSP, another ARM core embedded in an image processing engine, and other processing engines.

6.3.2 Adding TAPs to the Scan Chain

After the â€œdefaultsâ€ are set up, add the TAPs on each chip to the JTAG scan chain. See section [#TAP-Declaration TAP Declaration], and the naming convention for taps.

In the simplest case the chip has only one TAP, probably for a CPU or FPGA. The config file for the Atmel AT91SAM7X256 looks (in part) like this:

jtag newtap $_CHIPNAME cpu -irlen 4 -expected-id $_CPUTAPID

A board with two such at91sam7 chips would be able to source such a config file twice, with different values for CHIPNAME, so it adds a different TAP each time.

If there are nonzero â€˜-expected-idâ€™ values, OpenOCD attempts to verify the actual tap id against those values. It will issue error messages if there is mismatch, which can help to pinpoint problems in OpenOCD configurations.

6.3.3 Add CPU targets

After adding a TAP for a CPU, you should set it up so that GDB and other commands can use it. See section [#CPU-Configuration CPU Configuration]. For the at91sam7 example above, the command can look like this; note that $_ENDIAN is not needed, since OpenOCD defaults to little endian, and this chip doesnâ€™t support changing that.

Work areas are small RAM areas associated with CPU targets. They are used by OpenOCD to speed up downloads, and to download small snippets of code to program flash chips. If the chip includes a form of â€œon-chip-ramâ€ - and many do - define a work area if you can. Again using the at91sam7 as an example, this can look like:

6.3.5 Chip Reset Setup

As a rule, you should put the reset_config command into the board file. Most things you think you know about a chip can be tweaked by the board.

Some chips have specific ways the TRST and SRST signals are managed. In the unusual case that these are chip specific and can never be changed by board wiring, they could go here. For example, some chips canâ€™t support JTAG debugging without both signals.

Provide a reset-assert event handler if you can. Such a handler uses JTAG operations to reset the target, letting this target config be used in systems which donâ€™t provide the optional SRST signal, or on systems where you donâ€™t want to reset all targets at once. Such a handler might write to chip registers to force a reset, use a JRC to do that (preferable â€“ the target may be wedged!), or force a watchdog timer to trigger. (For Cortex-M3 targets, this is not necessary. The target driver knows how to use trigger an NVIC reset when SRST is not available.)

Some chips need special attention during reset handling if theyâ€™re going to be used with JTAG. An example might be needing to send some commands right after the targetâ€™s TAP has been reset, providing a reset-deassert-post event handler that writes a chip register to report that JTAG debugging is being done. Another would be reconfiguring the watchdog so that it stops counting while the core is halted in the debugger.

JTAG clocking constraints often change during reset, and in some cases target config files (rather than board config files) are the right places to handle some of those issues. For example, immediately after reset most chips run using a slower clock than they will use later. That means that after reset (and potentially, as OpenOCD first starts up) they must use a slower JTAG clock rate than they will use later. See [#JTAG-Speed JTAG Speed].

Important: When you are debugging code that runs right after chip reset, getting these issues right is critical. In particular, if you see intermittent failures when OpenOCD verifies the scan chain after reset, look at how you are setting up JTAG clocking.

6.3.6 The init_targets procedure

Target config files can either be â€œlinearâ€ (script executed line-by-line when parsed in configuration stage, See [#Configuration-Stage Configuration Stage],) or they can contain a special procedure called init_targets, which will be executed when entering run stage (after parsing all config files or after init command, See [#Entering-the-Run-Stage Entering the Run Stage].) Such procedure can be overriden by â€œnext levelâ€ script (which sources the original). This concept faciliates code reuse when basic target config files provide generic configuration procedures and init_targets procedure, which can then be sourced and enchanced or changed in a â€œmore specificâ€ target config file. This is not possible with â€œlinearâ€ config scripts, because sourcing them executes every initialization commands they provide.

6.3.7 ARM Core Specific Hacks

If the chip has a DCC, enable it. If the chip is an ARM9 with some special high speed download features - enable it.

If present, the MMU, the MPU and the CACHE should be disabled.

Some ARM cores are equipped with trace support, which permits examination of the instruction and data bus activity. Trace activity is controlled through an â€œEmbedded Trace Moduleâ€ (ETM) on one of the coreâ€™s scan chains. The ETM emits voluminous data through a â€œtrace portâ€. (See [#ARM-Hardware-Tracing ARM Hardware Tracing].) If you are using an external trace port, configure it in your board config file. If you are using an on-chip â€œEmbedded Trace Bufferâ€ (ETB), configure it in your target config file.

6.3.8 Internal Flash Configuration

This applies ONLY TO MICROCONTROLLERS that have flash built in.

Never ever in the â€œtarget configuration fileâ€ define any type of flash that is external to the chip. (For example a BOOT flash on Chip Select 0.) Such flash information goes in a board file - not the TARGET (chip) file.

6.4 Translating Configuration Files

If you have a configuration file for another hardware debugger or toolset (Abatron, BDI2000, BDI3000, CCS, Lauterbach, Segger, Macraigor, etc.), translating it into OpenOCD syntax is often quite straightforward. The most tricky part of creating a configuration script is oftentimes the reset init sequence where e.g. PLLs, DRAM and the like is set up.

One trick that you can use when translating is to write small Tcl procedures to translate the syntax into OpenOCD syntax. This can avoid manual translation errors and make it easier to convert other scripts later on.

Example of transforming quirky arguments to a simple search and replace job:

7.1 Configuration Stage

When the OpenOCD server process starts up, it enters a configuration stage which is the only time that certain commands, configuration commands, may be issued. Normally, configuration commands are only available inside startup scripts.

In this manual, the definition of a configuration command is presented as a Config Command, not as a Command which may be issued interactively. The runtime help command also highlights configuration commands, and those which may be issued at any time.

Those configuration commands include declaration of TAPs, flash banks, the interface used for JTAG communication, and other basic setup. The server must leave the configuration stage before it may access or activate TAPs. After it leaves this stage, configuration commands may no longer be issued.

7.2 Entering the Run Stage

The first thing OpenOCD does after leaving the configuration stage is to verify that it can talk to the scan chain (list of TAPs) which has been configured. It will warn if it doesnâ€™t find TAPs it expects to find, or finds TAPs that arenâ€™t supposed to be there. You should see no errors at this point. If you see errors, resolve them by correcting the commands you used to configure the server. Common errors include using an initial JTAG speed thatâ€™s too fast, and not providing the right IDCODE values for the TAPs on the scan chain.

Once OpenOCD has entered the run stage, a number of commands become available. A number of these relate to the debug targets you may have declared. For example, the mww command will not be available until a target has been successfuly instantiated. If you want to use those commands, you may need to force entry to the run stage.

Config Command:init

This command terminates the configuration stage and enters the run stage. This helps when you need to have the startup scripts manage tasks such as resetting the target, programming flash, etc. To reset the CPU upon startup, add "init" and "reset" at the end of the config script or at the end of the OpenOCD command line using the â€˜-câ€™ command line switch.

If this command does not appear in any startup/configuration file OpenOCD executes the command for you after processing all configuration files and/or command line options.
NOTE: This command normally occurs at or near the end of your openocd.cfg file to force OpenOCD to â€œinitializeâ€ and make the targets ready. For example: If your openocd.cfg file needs to read/write memory on your target, init must occur before the memory read/write commands. This includes nand probe.

Overridable Procedure:jtag_init

This is invoked at server startup to verify that it can talk to the scan chain (list of TAPs) which has been configured.

The default implementation first tries jtag arp_init, which uses only a lightweight JTAG reset before examining the scan chain. If that fails, it tries again, using a harder reset from the overridable procedure init_reset.
Implementations must have verified the JTAG scan chain before they return. This is done by calling jtag arp_init (or jtag arp_init-reset).

7.3 TCP/IP Ports

The OpenOCD server accepts remote commands in several syntaxes. Each syntax uses a different TCP/IP port, which you may specify only during configuration (before those ports are opened).

For reasons including security, you may wish to prevent remote access using one or more of these ports. In such cases, just specify the relevant port number as zero. If you disable all access through TCP/IP, you will need to use the command line â€˜-pipeâ€™ option.

Command:gdb_port [number]

Normally gdb listens to a TCP/IP port, but GDB can also communicate via pipes(stdin/out or named pipes). The name "gdb_port" stuck because it covers probably more than 90% of the normal use cases.

No arguments reports GDB port. "pipe" means listen to stdin output to stdout, an integer is base port number, "disable" disables the gdb server.
When using "pipe", also use log_output to redirect the log output to a file so as not to flood the stdin/out pipes.
The -p/â€“pipe option is deprecated and a warning is printed as it is equivalent to passing in -c "gdb_port pipe; log_output openocd.log".
Any other string is interpreted as named pipe to listen to. Output pipe is the same name as input pipe, but with â€™oâ€™ appended, e.g. /var/gdb, /var/gdbo.
The GDB port for the first target will be the base port, the second target will listen on gdb_port 1, and so on. When not specified during the configuration stage, the port number defaults to 3333.

Command:tcl_port [number]

Specify or query the port used for a simplified RPC connection that can be used by clients to issue TCL commands and get the output from the Tcl engine. Intended as a machine interface. When not specified during the configuration stage, the port number defaults to 6666.

Command:telnet_port [number]

Specify or query the port on which to listen for incoming telnet connections. This port is intended for interaction with one human through TCL commands. When not specified during the configuration stage, the port number defaults to 4444. When specified as zero, this port is not activated.

7.4 GDB Configuration

You can reconfigure some GDB behaviors if needed. The ones listed here are static and global. See [#Target-Configuration Target Configuration], about configuring individual targets. See [#Target-Events Target Events], about configuring target-specific event handling.

Command:gdb_breakpoint_override [â€˜hardâ€™|â€˜softâ€™|â€˜disableâ€™]

Force breakpoint type for gdb break commands. This option supports GDB GUIs which donâ€™t distinguish hard versus soft breakpoints, if the default OpenOCD and GDB behaviour is not sufficient. GDB normally uses hardware breakpoints if the memory map has been set up for flash regions.

Config Command:gdb_flash_program (â€˜enableâ€™|â€˜disableâ€™)

Set to â€˜enableâ€™ to cause OpenOCD to program the flash memory when a vFlash packet is received. The default behaviour is â€˜enableâ€™.

Config Command:gdb_memory_map (â€˜enableâ€™|â€˜disableâ€™)

Set to â€˜enableâ€™ to cause OpenOCD to send the memory configuration to GDB when requested. GDB will then know when to set hardware breakpoints, and program flash using the GDB load command. gdb_flash_program enable must also be enabled for flash programming to work. Default behaviour is â€˜enableâ€™. See [#gdb_005fflash_005fprogram gdb_flash_program].

Config Command:gdb_report_data_abort (â€˜enableâ€™|â€˜disableâ€™)

Specifies whether data aborts cause an error to be reported by GDB memory read packets. The default behaviour is â€˜disableâ€™; use â€˜enableâ€™ see these errors reported.

7.5 Event Polling

Hardware debuggers are parts of asynchronous systems, where significant events can happen at any time. The OpenOCD server needs to detect some of these events, so it can report them to through TCL command line or to GDB.

Examples of such events include:

One of the targets can stop running ... maybe it triggers a code breakpoint or data watchpoint, or halts itself.

Messages may be sent over â€œdebug messageâ€ channels ... many targets support such messages sent over JTAG, for receipt by the person debugging or tools.

Loss of power ... some adapters can detect these events.

Resets not issued through JTAG ... such reset sources can include button presses or other system hardware, sometimes including the target itself (perhaps through a watchdog).

Debug instrumentation sometimes supports event triggering such as â€œtrace buffer fullâ€ (so it can quickly be emptied) or other signals (to correlate with code behavior).

None of those events are signaled through standard JTAG signals. However, most conventions for JTAG connectors include voltage level and system reset (SRST) signal detection. Some connectors also include instrumentation signals, which can imply events when those signals are inputs.

In general, OpenOCD needs to periodically check for those events, either by looking at the status of signals on the JTAG connector or by sending synchronous â€œtell me your statusâ€ JTAG requests to the various active targets. There is a command to manage and monitor that polling, which is normally done in the background.

Command:poll [â€˜onâ€™|â€˜offâ€™]

Poll the current target for its current state. (Also, see [#target-curstate target curstate].) If that target is in debug mode, architecture specific information about the current state is printed. An optional parameter allows background polling to be enabled and disabled.

You could use this from the TCL command shell, or from GDB using monitor poll command. Leave background polling enabled while youâ€™re using GDB.

8. Debug Adapter Configuration

Correctly installing OpenOCD includes making your operating system give OpenOCD access to debug adapters. Once that has been done, Tcl commands are used to select which one is used, and to configure how it is used.

Note: Because OpenOCD started out with a focus purely on JTAG, you may find places where it wrongly presumes JTAG is the only transport protocol in use. Be aware that recent versions of OpenOCD are removing that limitation. JTAG remains more functional than most other transports. Other transports do not support boundary scan operations, or may be specific to a given chip vendor. Some might be usable only for programming flash memory, instead of also for debugging.

Debug Adapters/Interfaces/Dongles are normally configured through commands in an interface configuration file which is sourced by your â€˜openocd.cfgâ€™ file, or through a command line â€˜-f interface/....cfgâ€™ option.

source [find interface/olimex-jtag-tiny.cfg]

These commands tell OpenOCD what type of JTAG adapter you have, and how to talk to it. A few cases are so simple that you only need to say what driver to use:

8.1 Interface Configuration

The interface command tells OpenOCD what type of debug adapter you are using. Depending on the type of adapter, you may need to use one or more additional commands to further identify or configure the adapter.

Config Command:interface name

Use the interface driver name to connect to the target.

Command:interface_list

List the debug adapter drivers that have been built into the running copy of OpenOCD.

Command:interface transports transport_name

Specifies the transports supported by this debug adapter. The adapter driver builds-in similar knowledge; use this only when external configuration (such as jumpering) changes what the hardware can support.

FTDI FT2232 (USB) based devices over one of the userspace libraries. These interfaces have several commands, used to configure the driver before initializing the JTAG scan chain:

Config Command:ft2232_device_desc description

Provides the USB device description (the iProduct string) of the FTDI FT2232 device. If not specified, the FTDI default value is used. This setting is only valid if compiled with FTD2XX support.

Config Command:ft2232_serial serial-number

Specifies the serial-number of the FTDI FT2232 device to use, in case the vendor provides unique IDs and more than one FT2232 device is connected to the host. If not specified, serial numbers are not considered. (Note that USB serial numbers can be arbitrary Unicode strings, and are not restricted to containing only decimal digits.)

Config Command:ft2232_layout name

Each vendorâ€™s FT2232 device can use different GPIO signals to control output-enables, reset signals, and LEDs. Currently valid layout name values include:

- axm0432_jtag Axiom AXM-0432

- comstick Hitex STR9 comstick

- cortino Hitex Cortino JTAG interface

- evb_lm3s811 Luminary Micro EVB_LM3S811 as a JTAG interface, either for the local Cortex-M3 (SRST only) or in a passthrough mode (neither SRST nor TRST) This layout can not support the SWO trace mechanism, and should be used only for older boards (before rev C).

- luminary_icdi This layout should be used with most Luminary eval boards, including Rev C LM3S811 eval boards and the eponymous ICDI boards, to debug either the local Cortex-M3 or in passthrough mode to debug some other target. It can support the SWO trace mechanism.

- flyswatter Tin Can Tools Flyswatter

- icebear ICEbear JTAG adapter from Section 5

- jtagkey Amontec JTAGkey and JTAGkey-Tiny (and compatibles)

- jtagkey2 Amontec JTAGkey2 (and compatibles)

- m5960 American Microsystems M5960

- olimex-jtag Olimex ARM-USB-OCD and ARM-USB-Tiny

- oocdlink OOCDLink

- redbee-econotag Integrated with a Redbee development board.

- redbee-usb Integrated with a Redbee USB-stick development board.

- sheevaplug Marvell Sheevaplug development kit

- signalyzer Xverve Signalyzer

- stm32stick Hitex STM32 Performance Stick

- turtelizer2 egnite Software turtelizer2

- usbjtag "USBJTAG-1" layout described in the OpenOCD diploma thesis

Config Command:ft2232_vid_pid [vid pid]

The vendor ID and product ID of the FTDI FT2232 device. If not specified, the FTDI default values are used. Currently, up to eight [vid, pid] pairs may be given, e.g.

ft2232_vid_pid 0x0403 0xcff8 0x15ba 0x0003

Config Command:ft2232_latency ms

On some systems using FT2232 based JTAG interfaces the FT_Read function call in ft2232_read() fails to return the expected number of bytes. This can be caused by USB communication delays and has proved hard to reproduce and debug. Setting the FT2232 latency timer to a larger value increases delays for short USB packets but it also reduces the risk of timeouts before receiving the expected number of bytes. The OpenOCD default value is 2 and for some systems a value of 10 has proved useful.

For example, the interface config file for a Turtelizer JTAG Adapter looks something like this:

USB JTAG/USB-Blaster compatibles over one of the userspace libraries for FTDI chips. These interfaces have several commands, used to configure the driver before initializing the JTAG scan chain:

Config Command:usb_blaster_device_desc description

Provides the USB device description (the iProduct string) of the FTDI FT245 device. If not specified, the FTDI default value is used. This setting is only valid if compiled with FTD2XX support.

Config Command:usb_blaster_vid_pid vid pid

The vendor ID and product ID of the FTDI FT245 device. If not specified, default values are used. Currently, only one vid, pid pair may be given, e.g. for Altera USB-Blaster (default):

usb_blaster_vid_pid 0x09FB 0x6001

The following VID/PID is for Kolja Waschkâ€™s USB JTAG:

usb_blaster_vid_pid 0x16C0 0x06AD

Command:usb_blaster (â€˜pin6â€™|â€˜pin8â€™) (â€˜0â€™|â€˜1â€™)

Sets the state of the unused GPIO pins on USB-Blasters (pins 6 and 8 on the female JTAG header). These pins can be used as SRST and/or TRST provided the appropriate connections are made on the target board.

Gateworks GW16012 JTAG programmer. This has one driver-specific command:

Config Command:parport_port [port_number]

Display either the address of the I/O port (default: 0x378 for LPT1) or the number of the â€˜/dev/parportâ€™ device. If a parameter is provided, first switch to use that port. This is a write-once setting.

Interface Driver:jlink

Segger jlink USB adapter

Interface Driver:parport

Supports PC parallel port bit-banging cables: Wigglers, PLD download cable, and more. These interfaces have several commands, used to configure the driver before initializing the JTAG scan chain:

Config Command:parport_cable name

Set the layout of the parallel port cable used to connect to the target. This is a write-once setting. Currently valid cable name values include:

- altium Altium Universal JTAG cable.

- arm-jtag Same as original wiggler except SRST and TRST connections reversed and TRST is also inverted.

- chameleon The Amontec Chameleonâ€™s CPLD when operated in configuration mode. This is only used to program the Chameleon itself, not a connected target.

- dlc5 The Xilinx Parallel cable III.

- flashlink The ST Parallel cable.

- lattice Lattice ispDOWNLOAD Cable

- old_amt_wiggler The Wiggler configuration that comes with some versions of Amontecâ€™s Chameleon Programmer. The new version available from the website uses the original Wiggler layout (â€™wigglerâ€™)

- wiggler The original Wiggler layout, also supported by several clones, such as the Olimex ARM-JTAG

- wiggler2 Same as original wiggler except an led is fitted on D5.

- wiggler_ntrst_inverted Same as original wiggler except TRST is inverted.

Config Command:parport_port [port_number]

Display either the address of the I/O port (default: 0x378 for LPT1) or the number of the â€˜/dev/parportâ€™ device. If a parameter is provided, first switch to use that port. This is a write-once setting.

When using PPDEV to access the parallel port, use the number of the parallel port: â€˜parport_port 0â€™ (the default). If â€˜parport_port 0x378â€™ is specified you may encounter a problem.

Command:parport_toggling_time [nanoseconds]

Displays how many nanoseconds the hardware needs to toggle TCK; the parport driver uses this value to obey the adapter_khz configuration. When the optional nanoseconds parameter is given, that setting is changed before displaying the current value.

The default setting should work reasonably well on commodity PC hardware. However, you may want to calibrate for your specific hardware.

Tip: To measure the toggling time with a logic analyzer or a digital storage oscilloscope, follow the procedure below:

> parport_toggling_time 1000
> adapter_khz 500

This sets the maximum JTAG clock speed of the hardware, but the actual speed probably deviates from the requested 500 kHz. Now, measure the time between the two closest spaced TCK transitions. You can use runtest 1000 or something similar to generate a large set of samples. Update the setting to match your measurement:

> parport_toggling_time <measured nanoseconds>

Now the clock speed will be a better match for adapter_khz rate commands given in OpenOCD scripts and event handlers.
You can do something similar with many digital multimeters, but note that youâ€™ll probably need to run the clock continuously for several seconds before it decides what clock rate to show. Adjust the toggling time up or down until the measured clock rate is a good match for the adapter_khz rate you specified; be conservative.

Config Command:parport_write_on_exit (â€˜onâ€™|â€˜offâ€™)

This will configure the parallel driver to write a known cable-specific value to the parallel interface on exiting OpenOCD.

For example, the interface configuration file for a classic â€œWigglerâ€ cable on LPT2 might look something like this:

interface parport
parport_port 0x278
parport_cable wiggler

Interface Driver:presto

ASIX PRESTO USB JTAG programmer.

Config Command:presto_serial serial_string

Configures the USB serial number of the Presto device to use.

Interface Driver:rlink

Raisonance RLink USB adapter

Interface Driver:usbprog

usbprog is a freely programmable USB adapter.

Interface Driver:vsllink

vsllink is part of Versaloon which is a versatile USB programmer.

Note: This defines quite a few driver-specific commands, which are not currently documented here.

Interface Driver:stlink

ST Micro ST-LINK adapter.

Interface Driver:ZY1000

This is the Zylin ZY1000 JTAG debugger.

Note: This defines some driver-specific commands, which are not currently documented here.

8.3 Transport Configuration

As noted earlier, depending on the version of OpenOCD you use, and the debug adapter you are using, several transports may be available to communicate with debug targets (or perhaps to program flash memory).

Command:transport list

displays the names of the transports supported by this version of OpenOCD.

Command:transport select transport_name

Select which of the supported transports to use in this OpenOCD session. The transport must be supported by the debug adapter hardware and by the version of OPenOCD you are using (including the adapterâ€™s driver). No arguments: returns name of sessionâ€™s selected transport.

8.3.1 JTAG Transport

JTAG is the original transport supported by OpenOCD, and most of the OpenOCD commands support it. JTAG transports expose a chain of one or more Test Access Points (TAPs), each of which must be explicitly declared. JTAG supports both debugging and boundary scan testing. Flash programming support is built on top of debug support.

8.3.2 SWD Transport

SWD (Serial Wire Debug) is an ARM-specific transport which exposes one Debug Access Point (DAP, which must be explicitly declared. (SWD uses fewer signal wires than JTAG.) SWD is debug-oriented, and does not support boundary scan testing. Flash programming support is built on top of debug support. (Some processors support both JTAG and SWD.)

Command:swd newdap ...

Declares a single DAP which uses SWD transport. Parameters are currently the same as "jtag newtap" but this is expected to change.

Command:swd wcr trn prescale

Updates TRN (turnaraound delay) and prescaling.fields of the Wire Control Register (WCR). No parameters: displays current settings.

8.4 JTAG Speed

JTAG clock setup is part of system setup. It does not belong with interface setup since any interface only knows a few of the constraints for the JTAG clock speed. Sometimes the JTAG speed is changed during the target initialization process: (1) slow at reset, (2) program the CPU clocks, (3) run fast. Both the "slow" and "fast" clock rates are functions of the oscillators used, the chip, the board design, and sometimes power management software that may be active.

The speed used during reset, and the scan chain verification which follows reset, can be adjusted using a reset-start target event handler. It can then be reconfigured to a faster speed by a reset-init target event handler after it reprograms those CPU clocks, or manually (if something else, such as a boot loader, sets up those clocks). See [#Target-Events Target Events]. When the initial low JTAG speed is a chip characteristic, perhaps because of a required oscillator speed, provide such a handler in the target config file. When that speed is a function of a board-specific characteristic such as which speed oscillator is used, it belongs in the board config file instead. In both cases itâ€™s safest to also set the initial JTAG clock rate to that same slow speed, so that OpenOCD never starts up using a clock speed thatâ€™s faster than the scan chain can support.

If your system supports adaptive clocking (RTCK), configuring JTAG to use that is probably the most robust approach. However, it introduces delays to synchronize clocks; so it may not be the fastest solution.

NOTE: Script writers should consider using jtag_rclk instead of adapter_khz, but only for (ARM) cores and boards which support adaptive clocking.

Command:adapter_khz max_speed_kHz

A non-zero speed is in KHZ. Hence: 3000 is 3mhz. JTAG interfaces usually support a limited number of speeds. The speed actually used wonâ€™t be faster than the speed specified.

Chip data sheets generally include a top JTAG clock rate. The actual rate is often a function of a CPU core clock, and is normally less than that peak rate. For example, most ARM cores accept at most one sixth of the CPU clock.
Speed 0 (khz) selects RTCK method. See [#FAQ-RTCK FAQ RTCK]. If your system uses RTCK, you wonâ€™t need to change the JTAG clocking after setup. Not all interfaces, boards, or targets support â€œrtckâ€. If the interface device can not support it, an error is returned when you try to use RTCK.

Function:jtag_rclk fallback_speed_kHz

This Tcl proc (defined in â€˜startup.tclâ€™) attempts to enable RTCK/RCLK. If that fails (maybe the interface, board, or target doesnâ€™t support it), falls back to the specified frequency.

9. Reset Configuration

Every system configuration may require a different reset configuration. This can also be quite confusing. Resets also interact with reset-init event handlers, which do things like setting up clocks and DRAM, and JTAG clock rates. (See [#JTAG-Speed JTAG Speed].) They can also interact with JTAG routers. Please see the various board files for examples.

Note: To maintainers and integrators: Reset configuration touches several things at once. Normally the board configuration file should define it and assume that the JTAG adapter supports everything thatâ€™s wired up to the boardâ€™s JTAG connector.

However, the target configuration file could also make note of something the silicon vendor has done inside the chip, which will be true for most (or all) boards using that chip. And when the JTAG adapter doesnâ€™t support everything, the user configuration file will need to override parts of the reset configuration provided by other files.

9.1 Types of Reset

There are many kinds of reset possible through JTAG, but they may not all work with a given board and adapter. Thatâ€™s part of why reset configuration can be error prone.

System Reset ... the SRST hardware signal resets all chips connected to the JTAG adapter, such as processors, power management chips, and I/O controllers. Normally resets triggered with this signal behave exactly like pressing a RESET button.

JTAG TAP Reset ... the TRST hardware signal resets just the TAP controllers connected to the JTAG adapter. Such resets should not be visible to the rest of the system; resetting a deviceâ€™s TAP controller just puts that controller into a known state.

Emulation Reset ... many devices can be reset through JTAG commands. These resets are often distinguishable from system resets, either explicitly (a "reset reason" register says so) or implicitly (not all parts of the chip get reset).

Other Resets ... system-on-chip devices often support several other types of reset. You may need to arrange that a watchdog timer stops while debugging, preventing a watchdog reset. There may be individual module resets.

In the best case, OpenOCD can hold SRST, then reset the TAPs via TRST and send commands through JTAG to halt the CPU at the reset vector before the 1st instruction is executed. Then when it finally releases the SRST signal, the system is halted under debugger control before any code has executed. This is the behavior required to support the reset halt and reset init commands; after reset init a board-specific script might do things like setting up DRAM. (See [#Reset-Command Reset Command].)

9.2 SRST and TRST Issues

Because SRST and TRST are hardware signals, they can have a variety of system-specific constraints. Some of the most common issues are:

Signal not available ... Some boards donâ€™t wire SRST or TRST to the JTAG connector. Some JTAG adapters donâ€™t support such signals even if they are wired up. Use the reset_configsignals options to say when either of those signals is not connected. When SRST is not available, your code might not be able to rely on controllers having been fully reset during code startup. Missing TRST is not a problem, since JTAG-level resets can be triggered using with TMS signaling.

Signals shorted ... Sometimes a chip, board, or adapter will connect SRST to TRST, instead of keeping them separate. Use the reset_configcombination options to say when those signals arenâ€™t properly independent.

Timing ... Reset circuitry like a resistor/capacitor delay circuit, reset supervisor, or on-chip features can extend the effect of a JTAG adapterâ€™s reset for some time after the adapter stops issuing the reset. For example, there may be chip or board requirements that all reset pulses last for at least a certain amount of time; and reset buttons commonly have hardware debouncing. Use the adapter_nsrst_delay and jtag_ntrst_delay commands to say when extra delays are needed.

Drive type ... Reset lines often have a pullup resistor, letting the JTAG interface treat them as open-drain signals. But thatâ€™s not a requirement, so the adapter may need to use push/pull output drivers. Also, with weak pullups it may be advisable to drive signals to both levels (push/pull) to minimize rise times. Use the reset_configtrst_type and srst_type parameters to say how to drive reset signals.

Special initialization ... Targets sometimes need special JTAG initialization sequences to handle chip-specific issues (not limited to errata). For example, certain JTAG commands might need to be issued while the system as a whole is in a reset state (SRST active) but the JTAG scan chain is usable (TRST inactive). Many systems treat combined assertion of SRST and TRST as a trigger for a harder reset than SRST alone. Such custom reset handling is discussed later in this chapter.

There can also be other issues. Some devices donâ€™t fully conform to the JTAG specifications. Trivial system-specific differences are common, such as SRST and TRST using slightly different names. There are also vendors who distribute key JTAG documentation for their chips only to developers who have signed a Non-Disclosure Agreement (NDA).

Sometimes there are chip-specific extensions like a requirement to use the normally-optional TRST signal (precluding use of JTAG adapters which donâ€™t pass TRST through), or needing extra steps to complete a TAP reset.

In short, SRST and especially TRST handling may be very finicky, needing to cope with both architecture and board specific constraints.

9.3 Commands for Handling Resets

Minimum amount of time (in milliseconds) OpenOCD should wait after asserting nSRST (active-low system reset) before allowing it to be deasserted.

Command:adapter_nsrst_delay milliseconds

How long (in milliseconds) OpenOCD should wait after deasserting nSRST (active-low system reset) before starting new JTAG operations. When a board has a reset button connected to SRST line it will probably have hardware debouncing, implying you should use this.

Command:jtag_ntrst_assert_width milliseconds

Minimum amount of time (in milliseconds) OpenOCD should wait after asserting nTRST (active-low JTAG TAP reset) before allowing it to be deasserted.

Command:jtag_ntrst_delay milliseconds

How long (in milliseconds) OpenOCD should wait after deasserting nTRST (active-low JTAG TAP reset) before starting new JTAG operations.

Command:reset_config mode_flag ...

This command displays or modifies the reset configuration of your combination of JTAG board and target in target configuration scripts.

Information earlier in this section describes the kind of problems the command is intended to address (see [#SRST-and-TRST-Issues SRST and TRST Issues]). As a rule this command belongs only in board config files, describing issues like board doesnâ€™t connect TRST; or in user config files, addressing limitations derived from a particular combination of interface and board. (An unlikely example would be using a TRST-only adapter with a board that only wires up SRST.)
The mode_flag options can be specified in any order, but only one of each type â€“ signals, combination, gates, trst_type, and srst_type â€“ may be specified at a time. If you donâ€™t provide a new value for a given type, its previous value (perhaps the default) is unchanged. For example, this means that you donâ€™t need to say anything at all about TRST just to declare that if the JTAG adapter should want to drive SRST, it must explicitly be driven high (â€˜srst_push_pullâ€™).

signals can specify which of the reset signals are connected. For example, If the JTAG interface provides SRST, but the board doesnâ€™t connect that signal properly, then OpenOCD canâ€™t use it. Possible values are â€˜noneâ€™ (the default), â€˜trst_onlyâ€™, â€˜srst_onlyâ€™ and â€˜trst_and_srstâ€™.

Tip: If your board provides SRST and/or TRST through the JTAG connector, you must declare that so those signals can be used.

The combination is an optional value specifying broken reset signal implementations. The default behaviour if no option given is â€˜separateâ€™, indicating everything behaves normally. â€˜srst_pulls_trstâ€™ states that the test logic is reset together with the reset of the system (e.g. NXP LPC2000, "broken" board layout), â€˜trst_pulls_srstâ€™ says that the system is reset together with the test logic (only hypothetical, I havenâ€™t seen hardware with such a bug, and can be worked around). â€˜combinedâ€™ implies both â€˜srst_pulls_trstâ€™ and â€˜trst_pulls_srstâ€™.

The gates tokens control flags that describe some cases where JTAG may be unvailable during reset. â€˜srst_gates_jtagâ€™ (default) indicates that asserting SRST gates the JTAG clock. This means that no communication can happen on JTAG while SRST is asserted. Its converse is â€˜srst_nogateâ€™, indicating that JTAG commands can safely be issued while SRST is active.

The optional trst_type and srst_type parameters allow the driver mode of each reset line to be specified. These values only affect JTAG interfaces with support for different driver modes, like the Amontec JTAGkey and JTAG Accelerator. Also, they are necessarily ignored if the relevant signal (TRST or SRST) is not connected.

Possible trst_type driver modes for the test reset signal (TRST) are the default â€˜trst_push_pullâ€™, and â€˜trst_open_drainâ€™. Most boards connect this signal to a pulldown, so the JTAG TAPs never leave reset unless they are hooked up to a JTAG adapter.

Possible srst_type driver modes for the system reset signal (SRST) are the default â€˜srst_open_drainâ€™, and â€˜srst_push_pullâ€™. Most boards connect this signal to a pullup, and allow the signal to be pulled low by various events including system powerup and pressing a reset button.

9.4 Custom Reset Handling

OpenOCD has several ways to help support the various reset mechanisms provided by chip and board vendors. The commands shown in the previous section give standard parameters. There are also event handlers associated with TAPs or Targets. Those handlers are Tcl procedures you can provide, which are invoked at particular points in the reset sequence.

When SRST is not an option you must set up a reset-assert event handler for your target. For example, some JTAG adapters donâ€™t include the SRST signal; and some boards have multiple targets, and you wonâ€™t always want to reset everything at once.

After configuring those mechanisms, you might still find your board doesnâ€™t start up or reset correctly. For example, maybe it needs a slightly different sequence of SRST and/or TRST manipulations, because of quirks that the reset_config mechanism doesnâ€™t address; or asserting both might trigger a stronger reset, which needs special attention.

Experiment with lower level operations, such as jtag_reset and the jtag arp_* operations shown here, to find a sequence of operations that works. See section [#JTAG-Commands JTAG Commands]. When you find a working sequence, it can be used to override jtag_init, which fires during OpenOCD startup (see [#Configuration-Stage Configuration Stage]); or init_reset, which fires during reset processing.

You might also want to provide some project-specific reset schemes. For example, on a multi-target board the standard reset command would reset all targets, but you may need the ability to reset only one target at time and thus want to avoid using the board-wide SRST signal.

Overridable Procedure:init_reset mode

This is invoked near the beginning of the reset command, usually to provide as much of a cold (power-up) reset as practical. By default it is also invoked from jtag_init if the scan chain does not respond to pure JTAG operations. The mode parameter is the parameter given to the low level reset command (â€˜haltâ€™, â€˜initâ€™, or â€˜runâ€™), â€˜setupâ€™, or potentially some other value.

The default implementation just invokes jtag arp_init-reset. Replacements will normally build on low level JTAG operations such as jtag_reset. Operations here must not address individual TAPs (or their associated targets) until the JTAG scan chain has first been verified to work.
Implementations must have verified the JTAG scan chain before they return. This is done by calling jtag arp_init (or jtag arp_init-reset).

Command:jtag arp_init

This validates the scan chain using just the four standard JTAG signals (TMS, TCK, TDI, TDO). It starts by issuing a JTAG-only reset. Then it performs checks to verify that the scan chain configuration matches the TAPs it can observe. Those checks include checking IDCODE values for each active TAP, and verifying the length of their instruction registers using TAP -ircapture and -irmask values. If these tests all pass, TAP setup events are issued to all TAPs with handlers for that event.

Command:jtag arp_init-reset

This uses TRST and SRST to try resetting everything on the JTAG scan chain (and anything else connected to SRST). It then invokes the logic of jtag arp_init.

10. TAP Declaration

Flash Programing Some chips program the flash directly via JTAG. Others do it indirectly, making a CPU do it.

Program Download Using the same CPU support GDB uses, you can initialize a DRAM controller, download code to DRAM, and then start running that code.

Boundary Scan Most chips support boundary scan, which helps test for board assembly problems like solder bridges and missing connections

OpenOCD must know about the active TAPs on your board(s). Setting up the TAPs is the core task of your configuration files. Once those TAPs are set up, you can pass their names to code which sets up CPUs and exports them as GDB targets, probes flash memory, performs low-level JTAG operations, and more.

10.1 Scan Chains

TAPs are part of a hardware scan chain, which is daisy chain of TAPs. They also need to be added to OpenOCDâ€™s software mirror of that hardware list, giving each member a name and associating other data with it. Simple scan chains, with a single TAP, are common in systems with a single microcontroller or microprocessor. More complex chips may have several TAPs internally. Very complex scan chains might have a dozen or more TAPs: several in one chip, more in the next, and connecting to other boards with their own chips and TAPs.

You can display the list with the scan_chain command. (Donâ€™t confuse this with the list displayed by the targets command, presented in the next chapter. That only displays TAPs for CPUs which are configured as debugging targets.) Hereâ€™s what the scan chain might look like for a chip more than one TAP:

OpenOCD can detect some of that information, but not all of it. See [#Autoprobing Autoprobing]. Unfortunately those TAPs canâ€™t always be autoconfigured, because not all devices provide good support for that. JTAG doesnâ€™t require supporting IDCODE instructions, and chips with JTAG routers may not link TAPs into the chain until they are told to do so.

The configuration mechanism currently supported by OpenOCD requires explicit configuration of all TAP devices using jtag newtap commands, as detailed later in this chapter. A command like this would declare one tap and name it chip1.cpu:

jtag newtap chip1 cpu -irlen 4 -expected-id 0x3ba00477

Each target configuration file lists the TAPs provided by a given chip. Board configuration files combine all the targets on a board, and so forth. Note that the order in which TAPs are declared is very important. It must match the order in the JTAG scan chain, both inside a single chip and between them. See [#FAQ-TAP-Order FAQ TAP Order].

For example, the ST Microsystems STR912 chip has three separate TAPs[#FOOT5 (5)]. To configure those taps, â€˜target/str912.cfgâ€™ includes commands something like this:

Actual config files use a variable instead of literals like â€˜str912â€™, to support more than one chip of each type. See section [#Config-File-Guidelines Config File Guidelines].

Command:jtag names

Returns the names of all current TAPs in the scan chain. Use jtag cget or jtag tapisenabled to examine attributes and state of each TAP.

foreach t [jtag names] {
puts [format "TAP: %s\n" $t]
}

Command:scan_chain

Displays the TAPs in the scan chain configuration, and their status. The set of TAPs listed by this command is fixed by exiting the OpenOCD configuration stage, but systems with a JTAG router can enable or disable TAPs dynamically.

10.2 TAP Names

When TAP objects are declared with jtag newtap, a dotted.name is created for the TAP, combining the name of a module (usually a chip) and a label for the TAP. For example: xilinx.tap, str912.flash, omap3530.jrc, dm6446.dsp, or stm32.cpu. Many other commands use that dotted.name to manipulate or refer to the TAP. For example, CPU configuration uses the name, as does declaration of NAND or NOR flash banks.

The components of a dotted name should follow â€œCâ€ symbol name rules: start with an alphabetic character, then numbers and underscores are OK; while others (including dots!) are not.

Tip: In older code, JTAG TAPs were numbered from 0..N. This feature is still present. However its use is highly discouraged, and should not be relied on; it will be removed by mid-2010. Update all of your scripts to use TAP names rather than numbers, by paying attention to the runtime warnings they trigger. Using TAP numbers in target configuration scripts prevents reusing those scripts on boards with multiple targets.

10.3 TAP Declaration Commands

Command:jtag newtap chipname tapname configparams...

Declares a new TAP with the dotted name chipname.tapname, and configured according to the various configparams.

The chipname is a symbolic name for the chip. Conventionally target config files use $_CHIPNAME, defaulting to the model name given by the chip vendor but overridable.
The tapname reflects the role of that TAP, and should follow this convention:

bs â€“ For boundary scan if this is a seperate TAP;

cpu â€“ The main CPU of the chip, alternatively arm and dsp on chips with both ARM and DSP CPUs, arm1 and arm2 on chips two ARMs, and so forth;

etb â€“ For an embedded trace buffer (example: an ARM ETB11);

flash â€“ If the chip has a flash TAP, like the str912;

jrc â€“ For JTAG route controller (example: the ICEpick modules on many Texas Instruments chips, like the OMAP3530 on Beagleboards);

tap â€“ Should be used only FPGA or CPLD like devices with a single TAP;

unknownN â€“ If you have no idea what the TAP is for (N is a number);

when in doubt â€“ Use the chip makerâ€™s name in their data sheet. For example, the Freescale IMX31 has a SDMA (Smart DMA) with a JTAG TAP; that TAP should be named sdma.

Every TAP requires at least the following configparams:

-irlenNUMBERThe length in bits of the instruction register, such as 4 or 5 bits.

A TAP may also provide optional configparams:

-disable (or -enable) Use the -disable parameter to flag a TAP which is not linked in to the scan chain after a reset using either TRST or the JTAG state machineâ€™s RESET state. You may use -enable to highlight the default state (the TAP is linked in). See [#Enabling-and-Disabling-TAPs Enabling and Disabling TAPs].

-expected-idnumberA non-zero number represents a 32-bit IDCODE which you expect to find when the scan chain is examined. These codes are not required by all JTAG devices. Repeat the option as many times as required if more than one ID code could appear (for example, multiple versions). Specify number as zero to suppress warnings about IDCODE values that were found but not included in the list.

Provide this value if at all possible, since it lets OpenOCD tell when the scan chain it sees isnâ€™t right. These values are provided in vendorsâ€™ chip documentation, usually a technical reference manual. Sometimes you may need to probe the JTAG hardware to find these values. See [#Autoprobing Autoprobing].

-ignore-versionSpecify this to ignore the JTAG version field in the -expected-id option. When vendors put out multiple versions of a chip, or use the same JTAG-level ID for several largely-compatible chips, it may be more practical to ignore the version field than to update config files to handle all of the various chip IDs. The version field is defined as bit 28-31 of the IDCODE.

-ircaptureNUMBERThe bit pattern loaded by the TAP into the JTAG shift register on entry to the IRCAPTURE state, such as 0x01. JTAG requires the two LSBs of this value to be 01. By default, -ircapture and -irmask are set up to verify that two-bit value. You may provide additional bits, if you know them, or indicate that a TAP doesnâ€™t conform to the JTAG specification.

-irmaskNUMBERA mask used with -ircapture to verify that instruction scans work correctly. Such scans are not used by OpenOCD except to verify that there seems to be no problems with JTAG scan chain operations.

10.4 Other TAP commands

Command:jtag cget dotted.name â€˜-eventâ€™ name

Command:jtag configure dotted.name â€˜-eventâ€™ name string

At this writing this TAP attribute mechanism is used only for event handling. (It is not a direct analogue of the cget/configure mechanism for debugger targets.) See the next section for information about the available events.

The configure subcommand assigns an event handler, a TCL string which is evaluated when the event is triggered. The cget subcommand returns that handler.

10.5 TAP Events

OpenOCD includes two event mechanisms. The one presented here applies to all JTAG TAPs. The other applies to debugger targets, which are associated with certain TAPs.

The TAP events currently defined are:

post-reset The TAP has just completed a JTAG reset. The tap may still be in the JTAG RESET state. Handlers for these events might perform initialization sequences such as issuing TCK cycles, TMS sequences to ensure exit from the ARM SWD mode, and more.

Because the scan chain has not yet been verified, handlers for these events should not issue commands which scan the JTAG IR or DR registers of any particular target. NOTE: As this is written (September 2009), nothing prevents such access.

setup The scan chain has been reset and verified. This handler may enable TAPs as needed.

tap-disable The TAP needs to be disabled. This handler should implement jtag tapdisable by issuing the relevant JTAG commands.

tap-enable The TAP needs to be enabled. This handler should implement jtag tapenable by issuing the relevant JTAG commands.

If you need some action after each JTAG reset, which isnâ€™t actually specific to any TAP (since you canâ€™t yet trust the scan chainâ€™s contents to be accurate), you might:

10.6 Enabling and Disabling TAPs

In some systems, a JTAG Route Controller (JRC) is used to enable and/or disable specific JTAG TAPs. Many ARM based chips from Texas Instruments include an â€œICEpickâ€ module, which is a JRC. Such chips include DaVinci and OMAP3 processors.

A given TAP may not be visible until the JRC has been told to link it into the scan chain; and if the JRC has been told to unlink that TAP, it will no longer be visible. Such routers address problems that JTAG â€œbypass modeâ€ ignores, such as:

The scan chain can only go as fast as its slowest TAP.

Having many TAPs slows instruction scans, since all TAPs receive new instructions.

TAPs in the scan chain must be powered up, which wastes power and prevents debugging some power management mechanisms.

The IEEE 1149.1 JTAG standard has no concept of a â€œdisabledâ€ tap, as implied by the existence of JTAG routers. However, the upcoming IEEE 1149.7 framework (layered on top of JTAG) does include a kind of JTAG router functionality.

In OpenOCD, tap enabling/disabling is invoked by the Tcl commands shown below, and is implemented using TAP event handlers. So for example, when defining a TAP for a CPU connected to a JTAG router, your â€˜target.cfgâ€™ file should define TAP event handlers using code that looks something like this:

Note how that particular setup event handler declaration uses quotes to evaluate $CHIP when the event is configured. Using brackets { } would cause it to be evaluated later, at runtime, when it might have a different value.

Command:jtag tapdisable dotted.name

If necessary, disables the tap by sending it a â€˜tap-disableâ€™ event. Returns the string "1" if the tap specified by dotted.name is enabled, and "0" if it is disabled.

Command:jtag tapenable dotted.name

If necessary, enables the tap by sending it a â€˜tap-enableâ€™ event. Returns the string "1" if the tap specified by dotted.name is enabled, and "0" if it is disabled.

Command:jtag tapisenabled dotted.name

Returns the string "1" if the tap specified by dotted.name is enabled, and "0" if it is disabled.

Note: Humans will find the scan_chain command more helpful for querying the state of the JTAG taps.

10.7 Autoprobing

TAP configuration is the first thing that needs to be done after interface and reset configuration. Sometimes itâ€™s hard finding out what TAPs exist, or how they are identified. Vendor documentation is not always easy to find and use.

To help you get past such problems, OpenOCD has a limited autoprobing ability to look at the scan chain, doing a blind interrogation and then reporting the TAPs it finds. To use this mechanism, start the OpenOCD server with only data that configures your JTAG interface, and arranges to come up with a slow clock (many devices donâ€™t support fast JTAG clocks right when they come out of reset).

When you start the server without any TAPs configured, it will attempt to autoconfigure the TAPs. There are two parts to this:

TAP discovery ... After a JTAG reset (sometimes a system reset may be needed too), each TAPâ€™s data registers will hold the contents of either the IDCODE or BYPASS register. If JTAG communication is working, OpenOCD will see each TAP, and report what â€˜-expected-idâ€™ to use with it.

IR Length discovery ... Unfortunately JTAG does not provide a reliable way to find out the value of the â€˜-irlenâ€™ parameter to use with a TAP that is discovered. If OpenOCD can discover the length of a TAPâ€™s instruction register, it will report it. Otherwise you may need to consult vendor documentation, such as chip data sheets or BSDL files.

In many cases your board will have a simple scan chain with just a single device. Hereâ€™s what OpenOCD reported with one board thatâ€™s a bit more complex:

Given that information, you should be able to either find some existing config files to use, or create your own. If you create your own, you would configure from the bottom up: first a â€˜target.cfgâ€™ file with these TAPs, any targets associated with them, and any on-chip resources; then a â€˜board.cfgâ€™ with off-chip resources, clocking, and so forth.

11. CPU Configuration

This chapter discusses how to set up GDB debug targets for CPUs. You can also access these targets without GDB (see section [#Architecture-and-Core-Commands Architecture and Core Commands], and [#Target-State-handling Target State handling]) and through various kinds of NAND and NOR flash commands. If you have multiple CPUs you can have multiple such targets.

Weâ€™ll start by looking at how to examine the targets you have, then look at how to add one more target and how to configure it.

11.1 Target List

All targets that have been set up are part of a list, where each member has a name. That name should normally be the same as the TAP name. You can display the list with the targets (plural!) command. This display often has only one CPU; hereâ€™s what it might look like with more than one:

One member of that list is the current target, which is implicitly referenced by many commands. Itâ€™s the one marked with a * near the target name. In particular, memory addresses often refer to the address space seen by that current target. Commands like mdw (memory display words) and flash erase_address (erase NOR flash blocks) are examples; and there are many more.

Several commands let you examine the list of targets:

Command:target count

Note: target numbers are deprecated; donâ€™t use them. They will be removed shortly after August 2010, including this command. Iterate target using target names, not by counting.

Returns the number of targets, N. The highest numbered target is N - 1.

Note: the name of this command is plural. Other target command names are singular.

With no parameter, this command displays a table of all known targets in a user friendly form.
With a parameter, this command sets the current target to the given target with the given name; this is only relevant on boards which have more than one target.

11.2 Target CPU Types and Variants

Each target has a CPU type, as shown in the output of the targets command. You need to specify that type when calling target create. The CPU type indicates more than just the instruction set. It also indicates how that instruction set is implemented, what kind of debug support it integrates, whether it has an MMU (and if so, what kind), what core-specific commands may be available (see section [#Architecture-and-Core-Commands Architecture and Core Commands]), and more.

For some CPU types, OpenOCD also defines variants which indicate differences that affect their handling. For example, a particular implementation bug might need to be worked around in some chip versions.

Itâ€™s easy to see what target types are supported, since thereâ€™s a command to list them. However, there is currently no way to list what target variants are supported (other than by reading the OpenOCD source code).

Command:target types

Lists all supported target types. At this writing, the supported CPU types and variants are:

To avoid being confused by the variety of ARM based cores, remember this key point: ARM is a technology licencing company. (See: http://www.arm.com.) The CPU name used by OpenOCD will reflect the CPU design that was licenced, not a vendor brand which incorporates that design. Name prefixes like arm7, arm9, arm11, and cortex reflect design generations; while names like ARMv4, ARMv5, ARMv6, and ARMv7 reflect an architecture version implemented by a CPU design.

11.3 Target Configuration

Before creating a â€œtargetâ€, you must have added its TAP to the scan chain. When youâ€™ve added that TAP, you will have a dotted.name which is used to set up the CPU support. The chip-specific configuration file will normally configure its CPU(s) right after it adds all of the chipâ€™s TAPs to the scan chain.

Although you can set up a target in one step, itâ€™s often clearer if you use shorter commands and do it in two steps: create it, then configure optional parts. All operations on the target after itâ€™s created will use a new command, created as part of target creation.

The two main things to configure after target creation are a work area, which usually has target-specific defaults even if the board setup code overrides them later; and event handlers (see [#Target-Events Target Events]), which tend to be much more board-specific. The key steps you use might look something like this

You should specify a working area if you can; typically it uses some on-chip SRAM. Such a working area can speed up many things, including bulk writes to target memory; flash operations like checking to see if memory needs to be erased; GDB memory checksumming; and more.

Warning: On more complex chips, the work area can become inaccessible when application code (such as an operating system) enables or disables the MMU. For example, the particular MMU context used to acess the virtual address will probably matter ... and that context might not have easy access to other addresses needed. At this writing, OpenOCD doesnâ€™t have much MMU intelligence.

Itâ€™s often very useful to define a reset-init event handler. For systems that are normally used with a boot loader, common tasks include updating clocks and initializing memory controllers. That may be needed to let you write the boot loader into flash, in order to â€œde-brickâ€ your board; or to load programs into external DDR memory without having run the boot loader.

Command:target create target_name type configparams...

This command creates a GDB debug target that refers to a specific JTAG tap. It enters that target into a list, and creates a new command (target_name) which is used for various purposes including additional configuration.

target_name ... is the name of the debug target. By convention this should be the same as the dotted.name of the TAP associated with this target, which must be specified here using the -chain-position dotted.name configparam.

This name is also used to create the target object command, referred to here as $target_name, and in other places the target needs to be identified.

type ... specifies the target type. See [#target-types target types].

configparams ... all parameters accepted by $target_name configure are permitted. If the target is big-endian, set it here with -endian big. If the variant matters, set it here with -variant.

You must set the -chain-position dotted.name here.

Command:$target_name configure configparams...

The options accepted by this command may also be specified as parameters to target create. Their values can later be queried one at a time by using the $target_name cget command.

Warning: changing some of these after setup is dangerous. For example, moving a target from one TAP to another; and changing its endianness or variant.

-chain-positiondotted.name â€“ names the TAP used to access this target.

-eventevent_nameevent_body â€“ See [#Target-Events Target Events]. Note that this updates a list of named event handlers. Calling this twice with two different event names assigns two different handlers, but calling it twice with the same event name assigns only one handler.

-variantname â€“ specifies a variant of the target, which OpenOCD needs to know about.

-work-area-backup (â€˜0â€™|â€˜1â€™) â€“ says whether the work area gets backed up; by default, it is not backed up. When possible, use a working_area that doesnâ€™t need to be backed up, since performing a backup slows down operations. For example, the beginning of an SRAM block is likely to be used by most build systems, but the end is often unused.

-work-area-sizesize â€“ specify work are size, in bytes. The same size applies regardless of whether its physical or virtual address is being used.

-work-area-physaddress â€“ set the work area base address to be used when no MMU is active.

-work-area-virtaddress â€“ set the work area base address to be used when an MMU is active. Do not specify a value for this except on targets with an MMU. The value should normally correspond to a static mapping for the -work-area-phys address, set up by the current operating system.

11.4 Other $target_name Commands

The Tcl/Tk language has the concept of object commands, and OpenOCD adopts that same model for targets.

A good Tk example is a on screen button. Once a button is created a button has a name (a path in Tk terms) and that name is useable as a first class command. For example in Tk, one can create a button and later configure it like this:

In OpenOCDâ€™s terms, the â€œtargetâ€ is an object just like a Tcl/Tk button, and its object commands are invoked the same way.

str912.cpu mww 0x1234 0x42
omap3530.cpu mww 0x5555 123

The commands supported by OpenOCD target objects are:

Command:$target_name arp_examine

Command:$target_name arp_halt

Command:$target_name arp_poll

Command:$target_name arp_reset

Command:$target_name arp_waitstate

Internal OpenOCD scripts (most notably â€˜startup.tclâ€™) use these to deal with specific reset cases. They are not otherwise documented here.

Command:$target_name array2mem arrayname width address count

Command:$target_name mem2array arrayname width address count

These provide an efficient script-oriented interface to memory. The array2mem primitive writes bytes, halfwords, or words; while mem2array reads them. In both cases, the TCL side uses an array, and the target side uses raw memory.

The efficiency comes from enabling the use of bulk JTAG data transfer operations. The script orientation comes from working with data values that are packaged for use by TCL scripts; mdw type primitives only print data they retrieve, and neither store nor return those values.

arrayname ... is the name of an array variable

width ... is 8/16/32 - indicating the memory access size

address ... is the target memory address

count ... is the number of elements to process

Command:$target_name cget queryparm

Each configuration parameter accepted by $target_name configure can be individually queried, to return its current value. The queryparm is a parameter name accepted by that command, such as -work-area-phys. There are a few special cases:

-eventevent_name â€“ returns the handler for the event named event_name. This is a special case because setting a handler requires two parameters.

-type â€“ returns the target type. This is a special case because this is set using target create and canâ€™t be changed using $target_name configure.

For example, if you wanted to summarize information about all the targets you might use something like this:

Displays a table listing all event handlers currently associated with this target. See [#Target-Events Target Events].

Command:$target_name invoke-event event_name

Invokes the handler for the event named event_name. (This is primarily intended for use by OpenOCD framework code, for example by the reset code in â€˜startup.tclâ€™.)

Command:$target_name mdw addr [count]

Command:$target_name mdh addr [count]

Command:$target_name mdb addr [count]

Display contents of address addr, as 32-bit words (mdw), 16-bit halfwords (mdh), or 8-bit bytes (mdb). If count is specified, displays that many units. (If you want to manipulate the data instead of displaying it, see the mem2array primitives.)

11.5 Target Events

At various times, certain things can happen, or you want them to happen. For example:

What should happen when GDB connects? Should your target reset?

When GDB tries to flash the target, do you need to enable the flash via a special command?

Is using SRST appropriate (and possible) on your system? Or instead of that, do you need to issue JTAG commands to trigger reset? SRST usually resets everything on the scan chain, which can be inappropriate.

During reset, do you need to write to certain memory locations to set up system clocks or to reconfigure the SDRAM? How about configuring the watchdog timer, or other peripherals, to stop running while you hold the core stopped for debugging?

All of the above items can be addressed by target event handlers. These are set up by $target_name configure -event or target create ... -event.

The programmerâ€™s model matches the -command option used in Tcl/Tk buttons and events. The two examples below act the same, but one creates and invokes a small procedure while the other inlines it.

debug-halted The target has halted for debug reasons (i.e.: breakpoint)

debug-resumed The target has resumed (i.e.: gdb said run)

early-halted Occurs early in the halt process

gdb-attach When GDB connects. This is before any communication with the target, so this can be used to set up the target so it is possible to probe flash. Probing flash is necessary during gdb connect if gdb load is to write the image to flash. Another use of the flash memory map is for GDB to automatically hardware/software breakpoints depending on whether the breakpoint is in RAM or read only memory.

gdb-detach When GDB disconnects

gdb-end When the target has halted and GDB is not doing anything (see early halt)

gdb-flash-erase-start Before the GDB flash process tries to erase the flash

gdb-flash-erase-end After the GDB flash process has finished erasing the flash

gdb-flash-write-start Before GDB writes to the flash

gdb-flash-write-end After GDB writes to the flash

gdb-start Before the target steps, gdb is trying to start/resume the target

halted The target has halted

reset-assert-pre Issued as part of reset processing after reset_init was triggered but before either SRST alone is re-asserted on the scan chain, or reset-assert is triggered.

reset-assert Issued as part of reset processing after reset-assert-pre was triggered. When such a handler is present, cores which support this event will use it instead of asserting SRST. This support is essential for debugging with JTAG interfaces which donâ€™t include an SRST line (JTAG doesnâ€™t require SRST), and for selective reset on scan chains that have multiple targets.

reset-assert-post Issued as part of reset processing after reset-assert has been triggered. or the target asserted SRST on the entire scan chain.

reset-deassert-pre Issued as part of reset processing after reset-assert-post has been triggered.

reset-deassert-post Issued as part of reset processing after reset-deassert-pre has been triggered and (if the target is using it) after SRST has been released on the scan chain.

reset-end Issued as the final step in reset processing.

reset-init Used by reset init command for board-specific initialization. This event fires after reset-deassert-post.

This is where you would configure PLLs and clocking, set up DRAM so you can download programs that donâ€™t fit in on-chip SRAM, set up pin multiplexing, and so on. (You may be able to switch to a fast JTAG clock rate here, after the target clocks are fully set up.)

reset-start Issued as part of reset processing before reset_init is called.

This is the most robust place to use jtag_rclk or adapter_khz to switch to a low JTAG clock rate, when reset disables PLLs needed to use a fast clock.

12. Flash Commands

OpenOCD has different commands for NOR and NAND flash; the â€œflashâ€ command works with NOR flash, while the â€œnandâ€ command works with NAND flash. This partially reflects different hardware technologies: NOR flash usually supports direct CPU instruction and data bus access, while data from a NAND flash must be copied to memory before it can be used. (SPI flash must also be copied to memory before use.) However, the documentation also uses â€œflashâ€ as a generic term; for example, â€œPut flash configuration in board-specific filesâ€.

Flash Steps:

Configure via the command flash bank Do this in a board-specific configuration file, passing parameters as needed by the driver.

Operate on the flash via flash subcommand Often commands to manipulate the flash are typed by a human, or run via a script in some automated way. Common tasks include writing a boot loader, operating system, or other data.

Many CPUs have the ablity to â€œbootâ€ from the first flash bank. This means that misprogramming that bank can â€œbrickâ€ a system, so that it canâ€™t boot. JTAG tools, like OpenOCD, are often then used to â€œde-brickâ€ the board by (re)installing working boot firmware.

12.1 Flash Configuration Commands

Configures a flash bank which provides persistent storage for addresses from base to base size - 1. These banks will often be visible to GDB through the targetâ€™s memory map. In some cases, configuring a flash bank will activate extra commands; see the driver-specific documentation.

name ... may be used to reference the flash bank in other flash commands. A number is also available.

driver ... identifies the controller driver associated with the flash bank being declared. This is usually cfi for external flash, or else the name of a microcontroller with embedded flash memory. See [#Flash-Driver-List Flash Driver List].

base ... Base address of the flash chip.

size ... Size of the chip, in bytes. For some drivers, this value is detected from the hardware.

chip_width ... Width of the flash chip, in bytes; ignored for most microcontroller drivers.

bus_width ... Width of the data bus used to access the chip, in bytes; ignored for most microcontroller drivers.

target ... Names the target used to issue commands to the flash controller.

driver_options ... drivers may support, or require, additional parameters. See the driver-specific documentation for more information.

Note: This command is not available after OpenOCD initialization has completed. Use it in board specific configuration files, not interactively.

Command:flash banks

Prints a one-line summary of each device that was declared using flash bank, numbered from zero. Note that this is the plural form; the singular form is a very different command.

Command:flash list

Retrieves a list of associative arrays for each device that was declared using flash bank, numbered from zero. This returned list can be manipulated easily from within scripts.

Command:flash probe num

Identify the flash, or validate the parameters of the configured flash. Operation depends on the flash type. The num parameter is a value shown by flash banks. Most flash commands will implicitly autoprobe the bank; flash drivers can distinguish between probing and autoprobing, but most donâ€™t bother.

12.2 Erasing, Reading, Writing to Flash

One feature distinguishing NOR flash from NAND or serial flash technologies is that for read access, it acts exactly like any other addressible memory. This means you can use normal memory read commands like mdw or dump_image with it, with no special flash subcommands. See [#Memory-access Memory access], and [#Image-access Image access].

Write access works differently. Flash memory normally needs to be erased before itâ€™s written. Erasing a sector turns all of its bits to ones, and writing can turn ones into zeroes. This is why there are special commands for interactive erasing and writing, and why GDB needs to know which parts of the address space hold NOR flash memory.

Note: Most of these erase and write commands leverage the fact that NOR flash chips consume target address space. They implicitly refer to the current JTAG target, and map from an address in that targetâ€™s address space back to a flash bank. A few commands use abstract addressing based on bank and sector numbers, and donâ€™t depend on searching the current target and its address space. Avoid confusing the two command models.

Some flash chips implement software protection against accidental writes, since such buggy writes could in some cases â€œbrickâ€ a system. For such systems, erasing and writing may require sector protection to be disabled first. Examples include CFI flash such as â€œIntel Advanced Bootblock flashâ€, and AT91SAM7 on-chip flash. See [#flash-protect flash protect].

Command:flash erase_sector num first last

Erase sectors in bank num, starting at sector first up to and including last. Sector numbering starts at 0. Providing a last sector of â€˜lastâ€™ specifies "to the end of the flash bank". The num parameter is a value shown by flash banks.

Command:flash erase_address [â€˜padâ€™] [â€˜unlockâ€™] address length

Erase sectors starting at address for length bytes. Unless â€˜padâ€™ is specified, address must begin a flash sector, and address length - 1 must end a sector. Specifying â€˜padâ€™ erases extra data at the beginning and/or end of the specified region, as needed to erase only full sectors. The flash bank to use is inferred from the address, and the specified length must stay within that bank. As a special case, when length is zero and address is the start of the bank, the whole flash is erased. If â€˜unlockâ€™ is specified, then the flash is unprotected before erase starts.

Command:flash fillw address word length

Command:flash fillh address halfword length

Command:flash fillb address byte length

Fills flash memory with the specified word (32 bits), halfword (16 bits), or byte (8-bit) pattern, starting at address and continuing for length units (word/halfword/byte). No erasure is done before writing; when needed, that must be done before issuing this command. Writes are done in blocks of up to 1024 bytes, and each write is verified by reading back the data and comparing it to what was written. The flash bank to use is inferred from the address of each block, and the specified length must stay within that bank.

Command:flash write_bank num filename offset

Write the binary â€˜filenameâ€™ to flash bank num, starting at offset bytes from the beginning of the bank. The num parameter is a value shown by flash banks.

Command:flash write_image [erase] [unlock] filename [offset] [type]

Write the image â€˜filenameâ€™ to the current targetâ€™s flash bank(s). A relocation offset may be specified, in which case it is added to the base address for each section in the image. The file [type] can be specified explicitly as â€˜binâ€™ (binary), â€˜ihexâ€™ (Intel hex), â€˜elfâ€™ (ELF file), â€˜s19â€™ (Motorola s19). â€˜memâ€™, or â€˜builderâ€™. The relevant flash sectors will be erased prior to programming if the â€˜eraseâ€™ parameter is given. If â€˜unlockâ€™ is provided, then the flash banks are unlocked before erase and program. The flash bank to use is inferred from the address of each image section.

Warning: Be careful using the â€˜eraseâ€™ flag when the flash is holding data you want to preserve. Portions of the flash outside those described in the imageâ€™s sections might be erased with no notice.

When a section of the image being written does not fill out all the sectors it uses, the unwritten parts of those sectors are necessarily also erased, because sectors canâ€™t be partially erased.

Data stored in sector "holes" between image sections are also affected. For example, "flash write_image erase ..." of an image with one byte at the beginning of a flash bank and one byte at the end erases the entire bank â€“ not just the two sectors being written.

Also, when flash protection is important, you must re-apply it after it has been removed by the â€˜unlockâ€™ flag.

12.3 Other Flash commands

Check erase state of sectors in flash bank num, and display that status. The num parameter is a value shown by flash banks.

Command:flash info num

Print info about flash bank num The num parameter is a value shown by flash banks. This command will first query the hardware, it does not print cached and possibly stale information.

Command:flash protect num first last (â€˜onâ€™|â€˜offâ€™)

Enable (â€˜onâ€™) or disable (â€˜offâ€™) protection of flash sectors in flash bank num, starting at sector first and continuing up to and including last. Providing a last sector of â€˜lastâ€™ specifies "to the end of the flash bank". The num parameter is a value shown by flash banks.

12.4.1 External Flash

Flash Driver:cfi

The â€œCommon Flash Interfaceâ€ (CFI) is the main standard for external NOR flash chips, each of which connects to a specific external chip select on the CPU. Frequently the first such chip is used to boot the system. Your boardâ€™s reset-init handler might need to configure additional chip selects using other commands (like: mww to configure a bus and its timings), or perhaps configure a GPIO pin that controls the â€œwrite protectâ€ pin on the flash chip. The CFI driver can use a target-specific working area to significantly speed up operation.

The CFI driver can accept the following optional parameters, in any order:

jedec_probe ... is used to detect certain non-CFI flash ROMs, like AM29LV010 and similar types.

x16_as_x8 ... when a 16-bit flash is hooked up to an 8-bit bus.

To configure two adjacent banks of 16 MBytes each, both sixteen bits (two bytes) wide on a sixteen bit bus:

SMI makes the flash content directly accessible in the CPU address space; each external device is mapped in a memory bank. CPU can directly read data, execute code and boot from SMI banks. Normal OpenOCD commands like mdw can be used to display the flash content.
The setup command only requires the base parameter in order to identify the memory bank. All other parameters are ignored. Additional information, like flash size, are detected automatically.

12.4.2 Internal Flash (Microcontrollers)

Flash Driver:aduc702x

The ADUC702x analog microcontrollers from Analog Devices include internal flash and use ARM7TDMI cores. The aduc702x flash driver works with models ADUC7019 through ADUC7028. The setup command only requires the target argument since all devices in this family have the same memory layout.

flash bank $_FLASHNAME aduc702x 0 0 0 0 $_TARGETNAME

Flash Driver:at91sam3

All members of the AT91SAM3 microcontroller family from Atmel include internal flash and use ARMâ€™s Cortex-M3 core. The driver currently (6/22/09) recognizes the AT91SAM3U[1/2/4][C/E] chips. Note that the driver was orginaly developed and tested using the AT91SAM3U4E, using a SAM3U-EK eval board. Support for other chips in the family was cribbed from the data sheet. Note to future readers/updaters: Please remove this worrysome comment after other chips are confirmed.

The AT91SAM3U4[E/C] (256K) chips have two flash banks; most other chips have one flash bank. In all cases the flash banks are at the following fixed locations:

With no parameters, show or show all, shows the status of all GPNVM bits. With shownumber, displays that bit.

With setnumber or clearnumber, modifies that GPNVM bit.

Command:at91sam3 info

This command attempts to display information about the AT91SAM3 chip. First it read the CHIPID_CIDR [address 0x400e0740, see Section 28.2.1, page 505 of the AT91SAM3U 29/may/2009 datasheet, document id: doc6430A] and decodes the values. Second it reads the various clock configuration registers and attempts to display how it believes the chip is configured. By default, the SLOWCLK is assumed to be 32768 Hz, see the command at91sam3 slowclk.

Command:at91sam3 slowclk [value]

This command shows/sets the slow clock frequency used in the at91sam3 info command calculations above.

Flash Driver:at91sam4

All members of the AT91SAM4 microcontroller family from Atmel include internal flash and use ARMâ€™s Cortex-M4 core. This driver uses the same cmd names/syntax as See [#at91sam3 at91sam3].

Flash Driver:at91sam7

All members of the AT91SAM7 microcontroller family from Atmel include internal flash and use ARM7TDMI cores. The driver automatically recognizes a number of these chips using the chip identification register, and autoconfigures itself.

flash bank $_FLASHNAME at91sam7 0 0 0 0 $_TARGETNAME

For chips which are not recognized by the controller driver, you must provide additional parameters in the following order:

chip_model ... label used with flash info

banks

sectors_per_bank

pages_per_sector

pages_size

num_nvm_bits

freq_khz ... required if an external clock is provided, optional (but recommended) when the oscillator frequency is known

It is recommended that you provide zeroes for all of those values except the clock frequency, so that everything except that frequency will be autoconfigured. Knowing the frequency helps ensure correct timings for flash access.
The flash controller handles erases automatically on a page (128/256 byte) basis, so explicit erase commands are not necessary for flash programming. However, there is an â€œEraseAllâ€œ command that can erase an entire flash plane (of up to 256KB), and it will be used automatically when you issue flash erase_sector or flash erase_address commands.

Command:at91sam7 gpnvm bitnum (â€˜setâ€™|â€˜clearâ€™)

Set or clear a â€œGeneral Purpose Non-Volatile Memoryâ€ (GPNVM) bit for the processor. Each processor has a number of such bits, used for controlling features such as brownout detection (so they are not truly general purpose).

Note: This assumes that the first flash bank (number 0) is associated with the appropriate at91sam7 target.

Flash Driver:avr

The AVR 8-bit microcontrollers from Atmel integrate flash memory. The current implementation is incomplete.

Flash Driver:lpc2000

Most members of the LPC1700 and LPC2000 microcontroller families from NXP include internal flash and use Cortex-M3 (LPC1700) or ARM7TDMI (LPC2000) cores.

Note: There are LPC2000 devices which are not supported by the lpc2000 driver: The LPC2888 is supported by the lpc288x driver. The LPC29xx family is supported by the lpc2900 driver.

The lpc2000 driver defines two mandatory and one optional parameters, which must appear in the following order:

clock_kHz ... the frequency, in kiloHertz, at which the core is running

â€˜calc_checksumâ€™ ... optional (but you probably want to provide this!), telling the driver to calculate a valid checksum for the exception vector table.

Note: If you donâ€™t provide â€˜calc_checksumâ€™ when youâ€™re writing the vector table, the boot ROM will almost certainly ignore your flash image. However, if you do provide it, with most tool chains verify_image will fail.

Displays the four byte part identifier associated with the specified flash bank.

Flash Driver:lpc288x

The LPC2888 microcontroller from NXP needs slightly different flash support from its lpc2000 siblings. The lpc288x driver defines one mandatory parameter, the programming clock rate in Hz. LPC flashes donâ€™t require the chip and bus width to be specified.

flash bank $_FLASHNAME lpc288x 0 0 0 0 $_TARGETNAME 12000000

Flash Driver:lpc2900

This driver supports the LPC29xx ARM968E based microcontroller family from NXP.

The predefined parameters base, size, chip_width and bus_width of the flash bank command are ignored. Flash size and sector layout are auto-configured by the driver. The driver has one additional mandatory parameter: The CPU clock rate (in kHz) at the time the flash operations will take place. Most of the time this will not be the crystal frequency, but a higher PLL frequency. The reset-init event handler in the board script is usually the place where you start the PLL.
The driver rejects flashless devices (currently the LPC2930).
The EEPROM in LPC2900 devices is not mapped directly into the address space. It must be handled much more like NAND flash memory, and will therefore be handled by a separate lpc2900_eeprom driver (not yet available).
Sector protection in terms of the LPC2900 is handled transparently. Every time a sector needs to be erased or programmed, it is automatically unprotected. What is shown as protection status in the flash info command, is actually the LPC2900 sector security. This is a mechanism to prevent a sector from ever being erased or programmed again. As this is an irreversible mechanism, it is handled by a special command (lpc2900 secure_sector), and not by the standard flash protect command.
Example for a 125 MHz clock frequency:

flash bank $_FLASHNAME lpc2900 0 0 0 0 $_TARGETNAME 125000

Some lpc2900-specific commands are defined. In the following command list, the bank parameter is the bank number as obtained by the flash banks command.

Command:lpc2900 signature bank

Calculates a 128-bit hash value, the signature, from the whole flash content. This is a hardware feature of the flash block, hence the calculation is very fast. You may use this to verify the content of a programmed device against a known signature. Example:

Reads the 912 bytes of customer information from the flash index sector, and saves it to a file in binary format. Example:

lpc2900 read_custom 0 /path_to/customer_info.bin

The index sector of the flash is a write-only sector. It cannot be erased! In order to guard against unintentional write access, all following commands need to be preceeded by a successful call to the password command:

Command:lpc2900 password bank password

You need to use this command right before each of the following commands: lpc2900 write_custom, lpc2900 secure_sector, lpc2900 secure_jtag.

Writes the content of the file into the customer info space of the flash index sector. The filetype can be specified with the type field. Possible values for type are: bin (binary), ihex (Intel hex format), elf (ELF binary) or s19 (Motorola S-records). The file must contain a single section, and the contained data length must be exactly 912 bytes.

Attention: This cannot be reverted! Be careful!

Example:

lpc2900 write_custom 0 /path_to/customer_info.bin bin

Command:lpc2900 secure_sector bank first last

Secures the sector range from first to last (including) against further program and erase operations. The sector security will be effective after the next power cycle.

Programs the specified 32-bit value at the given address in the specified chip bank.

Command:pic32mx unlock bank

Unlock and erase specified chip bank. This will remove any Code Protection.

Flash Driver:stellaris

All members of the Stellaris LM3Sxxx microcontroller family from Texas Instruments include internal flash and use ARM Cortex M3 cores. The driver automatically recognizes a number of these chips using the chip identification register, and autoconfigures itself. [#FOOT6 (6)]

flash bank $_FLASHNAME stellaris 0 0 0 0 $_TARGETNAME

Command:stellaris recover bank_id

Performs the Recovering a "Locked" Device procedure to restore the flash specified by bank_id and its associated nonvolatile registers to their factory default values (erased). This is the only way to remove flash protection or re-enable debugging if that capability has been disabled.

Note that the final "power cycle the chip" step in this procedure must be performed by hand, since OpenOCD canâ€™t do it.

Warning: if more than one Stellaris chip is connected, the procedure is applied to all of them.

Flash Driver:stm32f1x

All members of the STM32f1x microcontroller family from ST Microelectronics include internal flash and use ARM Cortex M3 cores. The driver automatically recognizes a number of these chips using the chip identification register, and autoconfigures itself.

flash bank $_FLASHNAME stm32f1x 0 0 0 0 $_TARGETNAME

If you have a target with dual flash banks then define the second bank as per the following example.

flash bank $_FLASHNAME stm32f1x 0x08080000 0 0 0 $_TARGETNAME

Some stm32f1x-specific commands [#FOOT7 (7)] are defined:

Command:stm32f1x lock num

Locks the entire stm32 device. The num parameter is a value shown by flash banks.

Command:stm32f1x unlock num

Unlocks the entire stm32 device. The num parameter is a value shown by flash banks.

Command:stm32f1x options_read num

Read and display the stm32 option bytes written by the stm32f1x options_write command. The num parameter is a value shown by flash banks.

Writes the stm32 option byte with the specified values. The num parameter is a value shown by flash banks.

Flash Driver:stm32f2x

All members of the STM32f2x microcontroller family from ST Microelectronics include internal flash and use ARM Cortex M3 cores. The driver automatically recognizes a number of these chips using the chip identification register, and autoconfigures itself.

Flash Driver:str7x

All members of the STR7 microcontroller family from ST Microelectronics include internal flash and use ARM7TDMI cores. The str7x driver defines one mandatory parameter, variant, which is either STR71x, STR73x or STR75x.

Activate the Debug/Readout protection mechanism for the specified flash bank.

Flash Driver:str9x

Most members of the STR9 microcontroller family from ST Microelectronics include internal flash and use ARM966E cores. The str9 needs the flash controller to be configured using the str9x flash_config command prior to Flash programming.

Configures the str9 flash controller. The num parameter is a value shown by flash banks.

bbsr - Boot Bank Size register

nbbsr - Non Boot Bank Size register

bbadr - Boot Bank Start Address register

nbbadr - Boot Bank Start Address register

Flash Driver:tms470

Most members of the TMS470 microcontroller family from Texas Instruments include internal flash and use ARM7TDMI cores. This driver doesnâ€™t require the chip and bus width to be specified.

Some tms470-specific commands are defined:

Command:tms470 flash_keyset key0 key1 key2 key3

Saves programming keys in a register, to enable flash erase and write commands.

Command:tms470 osc_mhz clock_mhz

Reports the clock speed, which is used to calculate timings.

Command:tms470 plldis (0|1)

Disables (1) or enables (0) use of the PLL to speed up the flash clock.

Flash Driver:virtual

This is a special driver that maps a previously defined bank to another address. All bank settings will be copied from the master physical bank.

The virtual driver defines one mandatory parameters,

master_bank The bank that this virtual address refers to.

So in the following example addresses 0xbfc00000 and 0x9fc00000 refer to the flash bank defined at address 0x1fc00000. Any cmds executed on the virtual banks are actually performed on the physical banks.

All members of the FM3 microcontroller family from Fujitsu include internal flash and use ARM Cortex M3 cores. The fm3 driver uses the target parameter to select the correct bank config, it can currently be one of the following: mb9bfxx1.cpu, mb9bfxx2.cpu, mb9bfxx3.cpu, mb9bfxx4.cpu, mb9bfxx5.cpu or mb9bfxx6.cpu.

12.4.3 str9xpec driver

Here is some background info to help you better understand how this driver works. OpenOCD has two flash drivers for the str9:

Standard driver â€˜str9xâ€™ programmed via the str9 core. Normally used for flash programming as it is faster than the â€˜str9xpecâ€™ driver.

Direct programming â€˜str9xpecâ€™ using the flash controller. This is an ISC compilant (IEEE 1532) tap connected in series with the str9 core. The str9 core does not need to be running to program using this flash driver. Typical use for this driver is locking/unlocking the target and programming the option bytes.

Before we run any commands using the â€˜str9xpecâ€™ driver we must first disable the str9 core. This example assumes the â€˜str9xpecâ€™ driver has been configured for flash bank 0.

The above example will read the str9 option bytes. When performing a unlock remember that you will not be able to halt the str9 - it has been locked. Halting the core is not required for the â€˜str9xpecâ€™ driver as mentioned above, just issue the commands above manually or from a telnet prompt.

Flash Driver:str9xpec

Only use this driver for locking/unlocking the device or configuring the option bytes. Use the standard str9 driver for programming. Before using the flash commands the turbo mode must be enabled using the str9xpec enable_turbo command.

Several str9xpec-specific commands are defined:

Command:str9xpec disable_turbo num

Restore the str9 into JTAG chain.

Command:str9xpec enable_turbo num

Enable turbo mode, will simply remove the str9 from the chain and talk directly to the embedded flash controller.

Command:str9xpec lock num

Lock str9 device. The str9 will only respond to an unlock command that will erase the device.

12.5.2 mFlash commands

Command:mflash config pll frequency

Configure mflash PLL. The frequency is the mflash input frequency, in Hz. Issuing this command will erase mflashâ€™s whole internal nand and write new pll. After this command, mflash needs power-on-reset for normal operation. If pll was newly configured, storage and boot(optional) info also need to be update.

13. NAND Flash Commands

NAND chips consist of a number of â€œerase blocksâ€ of a given size (such as 128 KBytes), each of which is divided into a number of pages (of perhaps 512 or 2048 bytes each). Each page of a NAND flash has an â€œout of bandâ€ (OOB) area to hold Error Correcting Code (ECC) and other metadata, usually 16 bytes of OOB for every 512 bytes of page data.

One key characteristic of NAND flash is that its error rate is higher than that of NOR flash. In normal operation, that ECC is used to correct and detect errors. However, NAND blocks can also wear out and become unusable; those blocks are then marked "bad". NAND chips are even shipped from the manufacturer with a few bad blocks. The highest density chips use a technology (MLC) that wears out more quickly, so ECC support is increasingly important as a way to detect blocks that have begun to fail, and help to preserve data integrity with techniques such as wear leveling.

Software is used to manage the ECC. Some controllers donâ€™t support ECC directly; in those cases, software ECC is used. Other controllers speed up the ECC calculations with hardware. Single-bit error correction hardware is routine. Controllers geared for newer MLC chips may correct 4 or more errors for every 512 bytes of data.

You will need to make sure that any data you write using OpenOCD includes the apppropriate kind of ECC. For example, that may mean passing the oob_softecc flag when writing NAND data, or ensuring that the correct hardware ECC mode is used.

The basic steps for using NAND devices include:

Declare via the command nand device Do this in a board-specific configuration file, passing parameters as needed by the controller.

Configure each device using nand probe. Do this only after the associated target is set up, such as in its reset-init script or in procures defined to access that device.

Operate on the flash via nand subcommand Often commands to manipulate the flash are typed by a human, or run via a script in some automated way. Common task include writing a boot loader, operating system, or other data needed to initialize or de-brick a board.

NOTE: At the time this text was written, the largest NAND flash fully supported by OpenOCD is 2 GiBytes (16 GiBits). This is because the variables used to hold offsets and lengths are only 32 bits wide. (Larger chips may work in some cases, unless an offset or length is larger than 0xffffffff, the largest 32-bit unsigned integer.) Some larger devices will work, since they are actually multi-chip modules with two smaller chips and individual chipselect lines.

13.1 NAND Configuration Commands

NAND chips must be declared in configuration scripts, plus some additional configuration thatâ€™s done after OpenOCD has initialized.

Config Command:nand device name driver target [configparams...]

Declares a NAND device, which can be read and written to after it has been configured through nand probe. In OpenOCD, devices are single chips; this is unlike some operating systems, which may manage multiple chips as if they were a single (larger) device. In some cases, configuring a device will activate extra commands; see the controller-specific documentation.

NOTE: This command is not available after OpenOCD initialization has completed. Use it in board specific configuration files, not interactively.

name ... may be used to reference the NAND bank in most other NAND commands. A number is also available.

Probes the specified device to determine key characteristics like its page and block sizes, and how many blocks it has. The num parameter is the value shown by nand list. You must (successfully) probe a device before you can use it with most other NAND commands.

13.2 Erasing, Reading, Writing to NAND Flash

Reads binary data from the NAND device and writes it to the file, starting at the specified offset. The num parameter is the value shown by nand list.

Use a complete path name for filename, so you donâ€™t depend on the directory used to start the OpenOCD server.
The offset and length must be exact multiples of the deviceâ€™s page size. They describe a data region; the OOB data associated with each such page may also be accessed.
NOTE: At the time this text was written, no error correction was done on the data thatâ€™s read, unless raw access was disabled and the underlying NAND controller driver had a read_page method which handled that error correction.
By default, only page data is saved to the specified file. Use an oob_option parameter to save OOB data:

oob_rawOutput file interleaves page data and OOB data; the file will be longer than "length" by the size of the spare areas associated with each data page. Note that this kind of "raw" access is different from whatâ€™s implied by nand raw_access, which just controls whether a hardware-aware access method is used.

oob_onlyOutput file has only raw OOB data, and will be smaller than "length" since it will contain only the spare areas associated with each data page.

Command:nand erase num [offset length]

Erases blocks on the specified NAND device, starting at the specified offset and continuing for length bytes. Both of those values must be exact multiples of the deviceâ€™s block size, and the region they specify must fit entirely in the chip. If those parameters are not specified, the whole NAND chip will be erased. The num parameter is the value shown by nand list.

NOTE: This command will try to erase bad blocks, when told to do so, which will probably invalidate the manufacturerâ€™s bad block marker. For the remainder of the current server session, nand info will still report that the block â€œisâ€ bad.

Command:nand write num filename offset [option...]

Writes binary data from the file into the specified NAND device, starting at the specified offset. Those pages should already have been erased; you canâ€™t change zero bits to one bits. The num parameter is the value shown by nand list.

Use a complete path name for filename, so you donâ€™t depend on the directory used to start the OpenOCD server.
The offset must be an exact multiple of the deviceâ€™s page size. All data in the file will be written, assuming it doesnâ€™t run past the end of the device. Only full pages are written, and any extra space in the last page will be filled with 0xff bytes. (That includes OOB data, if thatâ€™s being written.)
NOTE: At the time this text was written, bad blocks are ignored. That is, this routine will not skip bad blocks, but will instead try to write them. This can cause problems.
Provide at most one option parameter. With some NAND drivers, the meanings of these parameters may change if nand raw_access was used to disable hardware ECC.

no oob_* parameter File has only page data, which is written. If raw acccess is in use, the OOB area will not be written. Otherwise, if the underlying NAND controller driver has a write_page routine, that routine may write the OOB with hardware-computed ECC data.

oob_onlyFile has only raw OOB data, which is written to the OOB area. Each pageâ€™s data area stays untouched. This can be a dangerous option, since it can invalidate the ECC data. You may need to force raw access to use this mode.

oob_rawFile interleaves data and OOB data, both of which are written If raw access is enabled, the data is written first, then the un-altered OOB. Otherwise, if the underlying NAND controller driver has a write_page routine, that routine may modify the OOB before itâ€™s written, to include hardware-computed ECC data.

oob_softeccFile has only page data, which is written. The OOB area is filled with 0xff, except for a standard 1-bit software ECC code stored in conventional locations. You might need to force raw access to use this mode, to prevent the underlying driver from applying hardware ECC.

oob_softecc_kwFile has only page data, which is written. The OOB area is filled with 0xff, except for a 4-bit software ECC specific to the boot ROM in Marvell Kirkwood SoCs. You might need to force raw access to use this mode, to prevent the underlying driver from applying hardware ECC.

Command:nand verify num filename offset [option...]

Verify the binary data in the file has been programmed to the specified NAND device, starting at the specified offset. The num parameter is the value shown by nand list.

Use a complete path name for filename, so you donâ€™t depend on the directory used to start the OpenOCD server.
The offset must be an exact multiple of the deviceâ€™s page size. All data in the file will be read and compared to the contents of the flash, assuming it doesnâ€™t run past the end of the device. As with nand write, only full pages are verified, so any extra space in the last page will be filled with 0xff bytes.
The same options accepted by nand write, and the file will be processed similarly to produce the buffers that can be compared against the contents produced from nand dump.
NOTE: This will not work when the underlying NAND controller driverâ€™s write_page routine must update the OOB with a hardward-computed ECC before the data is written. This limitation may be removed in a future release.

13.3 Other NAND commands

Command:nand check_bad_blocks num [offset length]

Checks for manufacturer bad block markers on the specified NAND device. If no parameters are provided, checks the whole device; otherwise, starts at the specified offset and continues for length bytes. Both of those values must be exact multiples of the deviceâ€™s block size, and the region they specify must fit entirely in the chip. The num parameter is the value shown by nand list.

NOTE: Before using this command you should force raw access with nand raw_access enable to ensure that the underlying driver will not try to apply hardware ECC.

Command:nand info num

The num parameter is the value shown by nand list. This prints the one-line summary from "nand list", plus for devices which have been probed this also prints any known status for each block.

Command:nand raw_access num (â€˜enableâ€™|â€˜disableâ€™)

Sets or clears an flag affecting how page I/O is done. The num parameter is the value shown by nand list.

This flag is cleared (disabled) by default, but changing that value wonâ€™t affect all NAND devices. The key factor is whether the underlying driver provides read_page or write_page methods. If it doesnâ€™t provide those methods, the setting of this flag is irrelevant; all access is effectively â€œrawâ€.
When those methods exist, they are normally used when reading data (nand dump or reading bad block markers) or writing it (nand write). However, enabling raw access (setting the flag) prevents use of those methods, bypassing hardware ECC logic. This can be a dangerous option, since writing blocks with the wrong ECC data can cause them to be marked as bad.

13.4 NAND Driver List

This driver handles the NAND controllers found on AT91SAM9 family chips from Atmel. It takes two extra parameters: address of the NAND chip; address of the ECC controller.

nand device $NANDFLASH at91sam9 $CHIPNAME 0x40000000 0xfffffe800

AT91SAM9 chips support single-bit ECC hardware. The write_page and read_page methods are used to utilize the ECC hardware unless they are disabled by using the nand raw_access command. There are four additional commands that are needed to fully configure the AT91SAM9 NAND controller. Two are optional; most boards use the same wiring for ALE/CLE:

Command:at91sam9 cle num addr_line

Configure the address line used for latching commands. The num parameter is the value shown by nand list.

Command:at91sam9 ale num addr_line

Configure the address line used for latching addresses. The num parameter is the value shown by nand list.

For the next two commands, it is assumed that the pins have already been properly configured for input or output.

Command:at91sam9 rdy_busy num pio_base_addr pin

Configure the RDY/nBUSY input from the NAND device. The num parameter is the value shown by nand list. pio_base_addr is the base address of the PIO controller and pin is the pin number.

Command:at91sam9 ce num pio_base_addr pin

Configure the chip enable input to the NAND device. The num parameter is the value shown by nand list. pio_base_addr is the base address of the PIO controller and pin is the pin number.

NAND Driver:davinci

This driver handles the NAND controllers found on DaVinci family chips from Texas Instruments. It takes three extra parameters: address of the NAND chip; hardware ECC mode to use (â€˜hwecc1â€™, â€˜hwecc4â€™, â€˜hwecc4_infixâ€™); address of the AEMIF controller on this processor.

nand device davinci dm355.arm 0x02000000 hwecc4 0x01e10000

All DaVinci processors support the single-bit ECC hardware, and newer ones also support the four-bit ECC hardware. The write_page and read_page methods are used to implement those ECC modes, unless they are disabled using the nand raw_access command.

NAND Driver:lpc3180

These controllers require an extra nand device parameter: the clock rate used by the controller.

Command:lpc3180 select num [mlc|slc]

Configures use of the MLC or SLC controller mode. MLC implies use of hardware ECC. The num parameter is the value shown by nand list.

At this writing, this driver includes write_page and read_page methods. Using nand raw_access to disable those methods will prevent use of hardware ECC in the MLC controller mode, but wonâ€™t change SLC behavior.

NAND Driver:mx3

This driver handles the NAND controller in i.MX31. The mxc driver should work for this chip aswell.

NAND Driver:mxc

This driver handles the NAND controller found in Freescale i.MX chips. It has support for v1 (i.MX27 and i.MX31) and v2 (i.MX35). The driver takes 3 extra arguments, chip (â€˜mx27â€™, â€˜mx31â€™, â€˜mx35â€™), ecc (â€˜noeccâ€™, â€˜hweccâ€™) and optionally if bad block information should be swapped between main area and spare area (â€˜biswapâ€™), defaults to off.

These controllers require an extra nand device parameter: the address of the controller.

nand device orion 0xd8000000

These controllers donâ€™t define any specialized commands. At this writing, their drivers donâ€™t include write_page or read_page methods, so nand raw_access wonâ€™t change any behavior.

NAND Driver:s3c2410

NAND Driver:s3c2412

NAND Driver:s3c2440

NAND Driver:s3c2443

NAND Driver:s3c6400

These S3C family controllers donâ€™t have any special nand device options, and donâ€™t define any specialized commands. At this writing, their drivers donâ€™t include write_page or read_page methods, so nand raw_access wonâ€™t change any behavior.

14. PLD/FPGA Commands

Programmable Logic Devices (PLDs) and the more flexible Field Programmable Gate Arrays (FPGAs) are both types of programmable hardware. OpenOCD can support programming them. Although PLDs are generally restrictive (cells are less functional, and there are no special purpose cells for memory or computational tasks), they share the same OpenOCD infrastructure. Accordingly, both are called PLDs here.

14.2 PLD/FPGA Drivers, Options, and Commands

Drivers may support PLD-specific options to the pld device definition command, and may also define commands usable only with that particular type of PLD.

FPGA Driver:virtex2

Virtex-II is a family of FPGAs sold by Xilinx. It supports the IEEE 1532 standard for In-System Configuration (ISC). No driver-specific PLD definition options are used, and one driver-specific command is defined.

15.1 Daemon Commands

With no parameters, prints help text for all commands. Otherwise, prints each helptext containing string. Not every command provides helptext.

Configuration commands, and commands valid at any time, are explicitly noted in parenthesis. In most cases, no such restriction is listed; this indicates commands which are only available after the configuration stage has completed.

Command:sleep msec [â€˜busyâ€™]

Wait for at least msec milliseconds before resuming. If â€˜busyâ€™ is passed, busy-wait instead of sleeping. (This option is strongly discouraged.) Useful in connection with script files (script command and target_name configuration).

Command:shutdown

Close the OpenOCD daemon, disconnecting all clients (GDB, telnet, other).

Command:debug_level [n]

Display debug level. If n (from 0..3) is provided, then set it to that level. This affects the kind of messages sent to the server log. Level 0 is error messages only; level 1 adds warnings; level 2 adds informational messages; and level 3 adds debugging messages. The default is level 2, but that can be overridden on the command line along with the location of that log file (which is normally the serverâ€™s standard output). See section [#Running Running].

15.2 Target State handling

In this section â€œtargetâ€ refers to a CPU configured as shown earlier (see section [#CPU-Configuration CPU Configuration]). These commands, like many, implicitly refer to a current target which is used to perform the various operations. The current target may be changed by using targets command with the name of the target which should become current.

Command:reg [(number|name) [value]]

Access a single register by number or by its name. The target must generally be halted before access to CPU core registers is allowed. Depending on the hardware, some other registers may be accessible while the target is running.

With no arguments: list all available registers for the current target, showing number, name, size, value, and cache status. For valid entries, a value is shown; valid entries which are also dirty (and will be written back later) are flagged as such.
With number/name: display that registerâ€™s value.
With both number/name and value: set registerâ€™s value. Writes may be held in a writeback cache internal to OpenOCD, so that setting the value marks the register as dirty instead of immediately flushing that value. Resuming CPU execution (including by single stepping) or otherwise activating the relevant module will flush such values.
Cores may have surprisingly many registers in their Debug and trace infrastructure:

The halt command first sends a halt request to the target, which wait_halt doesnâ€™t. Otherwise these behave the same: wait up to ms milliseconds, or 5 seconds if there is no parameter, for the target to halt (and enter debug mode). Using 0 as the ms parameter prevents OpenOCD from waiting.

Warning: On ARM cores, software using the wait for interrupt operation often blocks the JTAG access needed by a halt command. This is because that operation also puts the core into a low power mode by gating the core clock; but the core clock is needed to detect JTAG clock transitions.
One partial workaround uses adaptive clocking: when the core is interrupted the operation completes, then JTAG clocks are accepted at least until the interrupt handler completes. However, this workaround is often unusable since the processor, board, and JTAG adapter must all support adaptive JTAG clocking. Also, it canâ€™t work until an interrupt is issued.
A more complete workaround is to not use that operation while you work with a JTAG debugger. Tasking environments generaly have idle loops where the body is the wait for interrupt operation. (On older cores, it is a coprocessor action; newer cores have a â€˜wfiâ€™ instruction.) Such loops can just remove that operation, at the cost of higher power consumption (because the CPU is needlessly clocked).

Command:resume [address]

Resume the target at its current code position, or the optional address if it is provided. OpenOCD will wait 5 seconds for the target to resume.

Command:step [address]

Single-step the target at its current code position, or the optional address if it is provided.

Command:reset

Command:reset run

Command:reset halt

Command:reset init

Perform as hard a reset as possible, using SRST if possible. All defined targets will be reset, and target events will fire during the reset sequence.

The optional parameter specifies what should happen after the reset. If there is no parameter, a reset run is executed. The other options will not work on all systems. See section [#Reset-Configuration Reset Configuration].

- run Let the target run

- halt Immediately halt the target

- init Immediately halt the target, and execute the reset-init script

Command:soft_reset_halt

Requesting target halt and executing a soft reset. This is often used when a target cannot be reset and halted. The target, after reset is released begins to execute code. OpenOCD attempts to stop the CPU and then sets the program counter back to the reset vector. Unfortunately the code that was executed may have left the hardware in an unknown state.

15.4 Memory access commands

These commands allow accesses of a specific size to the memory system. Often these are used to configure the current target in some special way. For example - one may need to write certain values to the SDRAM controller to enable SDRAM.

Use the targets (plural) command to change the current target.

In system level scripts these commands are deprecated. Please use their TARGET object siblings to avoid making assumptions about what TAP is the current target, or about MMU configuration.

Command:mdw [phys] addr [count]

Command:mdh [phys] addr [count]

Command:mdb [phys] addr [count]

Display contents of address addr, as 32-bit words (mdw), 16-bit halfwords (mdh), or 8-bit bytes (mdb). When the current target has an MMU which is present and active, addr is interpreted as a virtual address. Otherwise, or if the optional phys flag is specified, addr is interpreted as a physical address. If count is specified, displays that many units. (If you want to manipulate the data instead of displaying it, see the mem2array primitives.)

Command:mww [phys] addr word

Command:mwh [phys] addr halfword

Command:mwb [phys] addr byte

Writes the specified word (32 bits), halfword (16 bits), or byte (8-bit) value, at the specified address addr. When the current target has an MMU which is present and active, addr is interpreted as a virtual address. Otherwise, or if the optional phys flag is specified, addr is interpreted as a physical address.

Normally you should be using load_image or GDB load. However, for testing purposes or when I/O overhead is significant(OpenOCD running on an embedded host), storing the image in memory and uploading the image to the target can be a way to upload e.g. multiple debug sessions when the binary does not change. Arguments are the same as load_image, but the image is stored in OpenOCD host memory, i.e. does not affect target. This approach is also useful when profiling target programming performance as I/O and target programming can easily be profiled separately.

Load image from file filename to target memory offset by address from its load address. The file format may optionally be specified (â€˜binâ€™, â€˜ihexâ€™, â€˜elfâ€™, or â€˜s19â€™). In addition the following arguments may be specifed: min_addr - ignore data below min_addr (this is w.r.t. to the targetâ€™s load address address) max_length - maximum number of bytes to load.

Displays image section sizes and addresses as if filename were loaded into target memory starting at address (defaults to zero). The file format may optionally be specified (â€˜binâ€™, â€˜ihexâ€™, or â€˜elfâ€™)

Verify filename against target memory starting at address. The file format may optionally be specified (â€˜binâ€™, â€˜ihexâ€™, or â€˜elfâ€™) This will first attempt a comparison using a CRC checksum, if this fails it will try a binary compare.

15.6 Breakpoint and Watchpoint commands

CPUs often make debug modules accessible through JTAG, with hardware support for a handful of code breakpoints and data watchpoints. In addition, CPUs almost always support software breakpoints.

Command:bp [address len [â€˜hwâ€™]]

With no parameters, lists all active breakpoints. Else sets a breakpoint on code execution starting at address for length bytes. This is a software breakpoint, unless â€˜hwâ€™ is specified in which case it will be a hardware breakpoint.

(See [#arm9-vector_005fcatch arm9 vector_catch], or see [#xscale-vector_005fcatch xscale vector_catch], for similar mechanisms that do not consume hardware breakpoints.)

Command:rbp address

Remove the breakpoint at address.

Command:rwp address

Remove data watchpoint on address

Command:wp [address len [(â€˜râ€™|â€˜wâ€™|â€˜aâ€™) [value [mask]]]]

With no parameters, lists all active watchpoints. Else sets a data watchpoint on data from address for length bytes. The watch point is an "access" watchpoint unless the â€˜râ€™ or â€˜wâ€™ parameter is provided, defining it as respectively a read or write watchpoint. If a value is provided, that value is used when determining if the watchpoint should trigger. The value may be first be masked using mask to mark â€œdonâ€™t careâ€ fields.

16. Architecture and Core Commands

Most CPUs have specialized JTAG operations to support debugging. OpenOCD packages most such operations in its standard command framework. Some of those operations donâ€™t fit well in that framework, so they are exposed here as architecture or implementation (core) specific commands.

16.1 ARM Hardware Tracing

CPUs based on ARM cores may include standard tracing interfaces, based on an â€œEmbedded Trace Moduleâ€ (ETM) which sends voluminous address and data bus trace records to a â€œTrace Portâ€.

Development-oriented boards will sometimes provide a high speed trace connector for collecting that data, when the particular CPU supports such an interface. (The standard connector is a 38-pin Mictor, with both JTAG and trace port support.) Those trace connectors are supported by higher end JTAG adapters and some logic analyzer modules; frequently those modules can buffer several megabytes of trace data. Configuring an ETM coupled to such an external trace port belongs in the board-specific configuration file.

If the CPU doesnâ€™t provide an external interface, it probably has an â€œEmbedded Trace Bufferâ€ (ETB) on the chip, which is a dedicated SRAM. 4KBytes is one common ETB size. Configuring an ETM coupled only to an ETB belongs in the CPU-specific (target) configuration file, since it works the same on all boards.

ETM support in OpenOCD doesnâ€™t seem to be widely used yet.

Issues: ETM support may be buggy, and at least some etm config parameters should be detected by asking the ETM for them.

ETM trigger events could also implement a kind of complex hardware breakpoint, much more powerful than the simple watchpoint hardware exported by EmbeddedICE modules. Such breakpoints can be triggered even when using the dummy trace port driver.

It seems like a GDB hookup should be possible, as well as tracing only during specific states (perhaps handling IRQ 23 or calls foo()).

There should be GUI tools to manipulate saved trace data and help analyse it in conjunction with the source code. Itâ€™s unclear how much of a common interface is shared with the current XScale trace support, or should be shared with eventual Nexus-style trace module support.

At this writing (November 2009) only ARM7, ARM9, and ARM11 support for ETM modules is available. The code should be able to work with some newer cores; but not all of them support this original style of JTAG access.

16.1.1 ETM Configuration

Declares the ETM associated with target, and associates it with a given trace port driver. See [#Trace-Port-Drivers Trace Port Drivers].

Several of the parameters must reflect the trace port capabilities, which are a function of silicon capabilties (exposed later using etm info) and of what hardware is connected to that port (such as an external pod, or ETB). The width must be either 4, 8, or 16, except with ETMv3.0 and newer modules which may also support 1, 2, 24, 32, 48, and 64 bit widths. (With those versions, etm info also shows whether the selected port width and mode are supported.)
The mode must be â€˜normalâ€™, â€˜multiplexedâ€™, or â€˜demultiplexedâ€™. The clocking must be â€˜halfâ€™ or â€˜fullâ€™.

Warning: With ETMv3.0 and newer, the bits set with the mode and clocking parameters both control the mode. This modified mode does not map to the values supported by previous ETM modules, so this syntax is subject to change.

Note: You can see the ETM registers using the reg command. Not all possible registers are present in every ETM. Most of the registers are write-only, and are used to configure what CPU activities are traced.

Command:etm info

Displays information about the current targetâ€™s ETM. This includes resource counts from the ETM_CONFIG register, as well as silicon capabilities (except on rather old modules). from the ETM_SYS_CONFIG register.

Command:etm status

Displays status of the current targetâ€™s ETM and trace port driver: is the ETM idle, or is it collecting data? Did trace data overflow? Was it triggered?

Displays what data that ETM will collect. If arguments are provided, first configures that data. When the configuration changes, tracing is stopped and any buffered trace data is invalidated.

type ... describing how data accesses are traced, when they pass any ViewData filtering that that was set up. The value is one of â€˜noneâ€™ (save nothing), â€˜dataâ€™ (save data), â€˜addressâ€™ (save addresses), â€˜allâ€™ (save data and addresses)

context_id_bits ... 0, 8, 16, or 32

cycle_accurate ... â€˜enableâ€™ or â€˜disableâ€™ cycle-accurate instruction tracing. Before ETMv3, enabling this causes much extra data to be recorded.

branch_output ... â€˜enableâ€™ or â€˜disableâ€™. Disable this unless you need to try reconstructing the instruction trace stream without an image of the code.

Command:etm trigger_debug (â€˜enableâ€™|â€˜disableâ€™)

Displays whether ETM triggering debug entry (like a breakpoint) is enabled or disabled, after optionally modifying that configuration. The default behaviour is â€˜disableâ€™. Any change takes effect after the next etm start.

By using script commands to configure ETM registers, you can make the processor enter debug state automatically when certain conditions, more complex than supported by the breakpoint hardware, happen.

16.1.2 ETM Trace Operation

After setting up the ETM, you can use it to collect data. That data can be exported to files for later analysis. It can also be parsed with OpenOCD, for basic sanity checking.

To configure what is being traced, you will need to write various trace registers using reg ETM_* commands. For the definitions of these registers, read ARM publication IHI 0014, â€œEmbedded Trace Macrocell, Architecture Specificationâ€. Be aware that most of the relevant registers are write-only, and that ETM resources are limited. There are only a handful of address comparators, data comparators, counters, and so on.

Examples of scenarios you might arrange to trace include:

Code flow within a function, excluding subroutines it calls. Use address range comparators to enable tracing for instruction access within that functionâ€™s body.

Code flow within a function, including subroutines it calls. Use the sequencer and address comparators to activate tracing on an â€œentered functionâ€ state, then deactivate it by exiting that state when the functionâ€™s exit code is invoked.

Code flow starting at the fifth invocation of a function, combining one of the above models with a counter.

CPU data accesses to the registers for a particular device, using address range comparators and the ViewData logic.

Such data accesses only during IRQ handling, combining the above model with sequencer triggers which on entry and exit to the IRQ handler.

... more

At this writing, September 2009, there are no Tcl utility procedures to help set up any common tracing scenarios.

Command:etm analyze

Reads trace data into memory, if it wasnâ€™t already present. Decodes and prints the data that was collected.

16.1.3 Trace Port Drivers

To use an ETM trace port it must be associated with a driver.

Trace Port Driver:dummy

Use the â€˜dummyâ€™ driver if you are configuring an ETM thatâ€™s not connected to anything (on-chip ETB or off-chip trace connector). This driver lets OpenOCD talk to the ETM, but it does not expose any trace data collection.

Config Command:etm_dummy config target

Associates the ETM for target with a dummy driver.

Trace Port Driver:etb

Use the â€˜etbâ€™ driver if you are configuring an ETM to use on-chip ETB memory.

Config Command:etb config target etb_tap

Associates the ETM for target with the ETB at etb_tap. You can see the ETB registers using the reg command.

Command:etb trigger_percent [percent]

This displays, or optionally changes, ETB behavior after the ETMâ€™s configured trigger event fires. It controls how much more trace data is saved after the (single) trace trigger becomes active.

The default corresponds to trace around usage, recording 50 percent data before the event and the rest afterwards.

The minimum value of percent is 2 percent, recording almost exclusively data before the trigger. Such extreme trace before usage can help figure out what caused that event to happen.

The maximum value of percent is 100 percent, recording data almost exclusively after the event. This extreme trace after usage might help sort out how the event caused trouble.

Trace Port Driver:oocd_trace

This driver isnâ€™t available unless OpenOCD was explicitly configured with the â€˜--enable-oocd_traceâ€™ option. You probably donâ€™t want to configure it unless youâ€™ve built the appropriate prototype hardware; itâ€™s proof-of-concept software.

Use the â€˜oocd_traceâ€™ driver if you are configuring an ETM thatâ€™s connected to an off-chip trace connector.

Config Command:oocd_trace config target tty

Associates the ETM for target with a trace driver which collects data through the serial port tty.

16.2 Generic ARM

These commands should be available on all ARM processors. They are available in addition to other core-specific commands that may be available.

Command:arm core_state [â€˜armâ€™|â€˜thumbâ€™]

Displays the core_state, optionally changing it to process either â€˜armâ€™ or â€˜thumbâ€™ instructions. The target may later be resumed in the currently set core_state. (Processors may also support the Jazelle state, but that is not currently supported in OpenOCD.)

Command:arm disassemble address [count [â€˜thumbâ€™]]

Disassembles count instructions starting at address. If count is not specified, a single instruction is disassembled. If â€˜thumbâ€™ is specified, or the low bit of the address is set, Thumb2 (mixed 16/32-bit) instructions are used; else ARM (32-bit) instructions are used. (Processors may also support the Jazelle state, but those instructions are not currently understood by OpenOCD.)

Note that all Thumb instructions are Thumb2 instructions, so older processors (without Thumb2 support) will still see correct disassembly of Thumb code. Also, ThumbEE opcodes are the same as Thumb2, with a handful of exceptions. ThumbEE disassembly currently has no explicit support.

Read a coprocessor pX register passing parameters CRn, CRm, opcodes opc1 and opc2, and the MRC instruction. Returns the result so it can be manipulated by Jim scripts. (Parameter sequence matches the ARM instruction, but omits an ARM register.)

Command:arm reg

Display a table of all banked core registers, fetching the current value from every core mode if necessary.

Command:arm semihosting [â€˜enableâ€™|â€˜disableâ€™]

Display status of semihosting, after optionally changing that status.

Semihosting allows for code executing on an ARM target to use the I/O facilities on the host computer i.e. the system where OpenOCD is running. The target application must be linked against a library implementing the ARM semihosting convention that forwards operation requests by using a special SVC instruction that is trapped at the Supervisor Call vector by OpenOCD.

16.3 ARMv4 and ARMv5 Architecture

The ARMv4 and ARMv5 architectures are widely used in embedded systems, and introduced core parts of the instruction set in use today. That includes the Thumb instruction set, introduced in the ARMv4T variant.

16.3.1 ARM7 and ARM9 specific commands

These commands are specific to ARM7 and ARM9 cores, like ARM7TDMI, ARM720T, ARM9TDMI, ARM920T or ARM926EJ-S. They are available in addition to the ARM commands, and any other core-specific commands that may be available.

Command:arm7_9 dbgrq [â€˜enableâ€™|â€˜disableâ€™]

Displays the value of the flag controlling use of the the EmbeddedIce DBGRQ signal to force entry into debug mode, instead of breakpoints. If a boolean parameter is provided, first assigns that flag.

This should be safe for all but ARM7TDMI-S cores (like NXP LPC). This feature is enabled by default on most ARM9 cores, including ARM9TDMI, ARM920T, and ARM926EJ-S.

Command:arm7_9 dcc_downloads [â€˜enableâ€™|â€˜disableâ€™]

Displays the value of the flag controlling use of the debug communications channel (DCC) to write larger (>128 byte) amounts of memory. If a boolean parameter is provided, first assigns that flag.

DCC downloads offer a huge speed increase, but might be unsafe, especially with targets running at very low speeds. This command was introduced with OpenOCD rev. 60, and requires a few bytes of working area.

Command:arm7_9 fast_memory_access [â€˜enableâ€™|â€˜disableâ€™]

Displays the value of the flag controlling use of memory writes and reads that donâ€™t check completion of the operation. If a boolean parameter is provided, first assigns that flag.

This provides a huge speed increase, especially with USB JTAG cables (FT2232), but might be unsafe if used with targets running at very low speeds, like the 32kHz startup clock of an AT91RM9200.

16.3.2 ARM720T specific commands

These commands are available to ARM720T based CPUs, which are implementations of the ARMv4T architecture based on the ARM7TDMI-S integer core. They are available in addition to the ARM and ARM7/ARM9 commands.

16.3.3 ARM9 specific commands

ARM9-family cores are built around ARM9TDMI or ARM9E (including ARM9EJS) integer processors. Such cores include the ARM920T, ARM926EJ-S, and ARM966.

Command:arm9 vector_catch [â€˜allâ€™|â€˜noneâ€™|list]

Vector Catch hardware provides a sort of dedicated breakpoint for hardware events such as reset, interrupt, and abort. You can use this to conserve normal breakpoint resources, so long as youâ€™re not concerned with code that branches directly to those hardware vectors.

This always finishes by listing the current configuration. If parameters are provided, it first reconfigures the vector catch hardware to intercept â€˜allâ€™ of the hardware vectors, â€˜noneâ€™ of them, or a list with one or more of the following: â€˜resetâ€™ â€˜undefâ€™ â€˜swiâ€™ â€˜pabtâ€™ â€˜dabtâ€™ â€˜irqâ€™ â€˜fiqâ€™.

16.3.4 ARM920T specific commands

These commands are available to ARM920T based CPUs, which are implementations of the ARMv4T architecture built using the ARM9TDMI integer core. They are available in addition to the ARM, ARM7/ARM9, and ARM9 commands.

Command:arm920t cache_info

Print information about the caches found. This allows to see whether your target is an ARM920T (2x16kByte cache) or ARM922T (2x8kByte cache).

Command:arm920t cp15 regnum [value]

Display cp15 register regnum; else if a value is provided, that value is written to that register. This uses "physical access" and the register number is as shown in bits 38..33 of table 9-9 in the ARM920T TRM. (Not all registers can be written.)

Interpreted access using ARM instruction opcode, which should be the value of either an MRC or MCR instruction (as shown tables 9-11, 9-12, and 9-13 in the ARM920T TRM). If no value is provided, the result is displayed. Else if that value is written using the specified address, or using zero if no other address is provided.

16.3.5 ARM926ej-s specific commands

These commands are available to ARM926ej-s based CPUs, which are implementations of the ARMv5TEJ architecture based on the ARM9EJ-S integer core. They are available in addition to the ARM, ARM7/ARM9, and ARM9 commands.

The Feroceon cores also support these commands, although they are not built from ARM926ej-s designs.

16.3.6 ARM966E specific commands

These commands are available to ARM966 based CPUs, which are implementations of the ARMv5TE architecture. They are available in addition to the ARM, ARM7/ARM9, and ARM9 commands.

Command:arm966e cp15 regnum [value]

Display cp15 register regnum; else if a value is provided, that value is written to that register. The six bit regnum values are bits 37..32 from table 7-2 of the ARM966E-S TRM. There is no current control over bits 31..30 from that table, as required for BIST support.

16.3.7 XScale specific commands

Some notes about the debug implementation on the XScale CPUs:

The XScale CPU provides a special debug-only mini-instruction cache (mini-IC) in which exception vectors and target-resident debug handler code are placed by OpenOCD. In order to get access to the CPU, OpenOCD must point vector 0 (the reset vector) to the entry of the debug handler. However, this means that the complete first cacheline in the mini-IC is marked valid, which makes the CPU fetch all exception handlers from the mini-IC, ignoring the code in RAM.

To address this situation, OpenOCD provides the xscale vector_table command, which allows the user to explicity write individual entries to either the high or low vector table stored in the mini-IC.

It is recommended to place a pc-relative indirect branch in the vector table, and put the branch destination somewhere in memory. Doing so makes sure the code in the vector table stays constant regardless of code layout in memory:

Alternatively, you may choose to keep some or all of the mini-IC vector table entries synced with those written to memory by your system software. The mini-IC can not be modified while the processor is executing, but for each vector table entry not previously defined using the xscale vector_table command, OpenOCD will copy the value from memory to the mini-IC every time execution resumes from a halt. This is done for both high and low vector tables (although the table not in use may not be mapped to valid memory, and in this case that copy operation will silently fail). This means that you will need to briefly halt execution at some strategic point during system start-up; e.g., after the software has initialized the vector table, but before exceptions are enabled. A breakpoint can be used to accomplish this once the appropriate location in the start-up code has been identified. A watchpoint over the vector table region is helpful in finding the location if youâ€™re not sure. Note that the same situation exists any time the vector table is modified by the system software.

The debug handler must be placed somewhere in the address space using the xscale debug_handler command. The allowed locations for the debug handler are either (0x800 - 0x1fef800) or (0xfe000800 - 0xfffff800). The default value is 0xfe000800.

XScale has resources to support two hardware breakpoints and two watchpoints. However, the following restrictions on watchpoint functionality apply: (1) the value and mask arguments to the wp command are not supported, (2) the watchpoint length must be a power of two and not less than four, and can not be greater than the watchpoint address, and (3) a watchpoint with a length greater than four consumes all the watchpoint hardware resources. This means that at any one time, you can have enabled either two watchpoints with a length of four, or one watchpoint with a length greater than four.

These commands are available to XScale based CPUs, which are implementations of the ARMv5TE architecture.

Command:xscale analyze_trace

Displays the contents of the trace buffer.

Command:xscale cache_clean_address address

Changes the address used when cleaning the data cache.

Command:xscale cache_info

Displays information about the CPU caches.

Command:xscale cp15 regnum [value]

Display cp15 register regnum; else if a value is provided, that value is written to that register.

Set an entry in the mini-IC vector table. There are two tables: one for low vectors (at 0x00000000), and one for high vectors (0xFFFF0000), each holding the 8 exception vectors. index can be 1-7, because vector 0 points to the debug handler entry and can not be overwritten. value holds the 32-bit opcode that is placed in the mini-IC.

16.4 ARMv6 Architecture

16.4.1 ARM11 specific commands

Command:arm11 memwrite burst [â€˜enableâ€™|â€˜disableâ€™]

Displays the value of the memwrite burst-enable flag, which is enabled by default. If a boolean parameter is provided, first assigns that flag. Burst writes are only used for memory writes larger than 1 word. They improve performance by assuming that the CPU has read each data word over JTAG and completed its write before the next word arrives, instead of polling for a status flag to verify that completion. This is usually safe, because JTAG runs much slower than the CPU.

Command:arm11 memwrite error_fatal [â€˜enableâ€™|â€˜disableâ€™]

Displays the value of the memwrite error_fatal flag, which is enabled by default. If a boolean parameter is provided, first assigns that flag. When set, certain memory write errors cause earlier transfer termination.

Command:arm11 step_irq_enable [â€˜enableâ€™|â€˜disableâ€™]

Displays the value of the flag controlling whether IRQs are enabled during single stepping; they are disabled by default. If a boolean parameter is provided, first assigns that.

Command:arm11 vcr [value]

Displays the value of the Vector Catch Register (VCR), coprocessor 14 register 7. If value is defined, first assigns that.

Vector Catch hardware provides dedicated breakpoints for certain hardware events. The specific bit values are core-specific (as in fact is using coprocessor 14 register 7 itself) but all current ARM11 cores except the ARM1176 use the same six bits.

16.5 ARMv7 Architecture

16.5.1 ARMv7 Debug Access Port (DAP) specific commands

These commands are specific to ARM architecture v7 Debug Access Port (DAP), included on Cortex-M3 and Cortex-A8 systems. They are available in addition to other core-specific commands that may be available.

Command:dap apid [num]

Displays ID register from AP num, defaulting to the currently selected AP.

Command:dap apsel [num]

Select AP num, defaulting to 0.

Command:dap baseaddr [num]

Displays debug base address from MEM-AP num, defaulting to the currently selected AP.

Command:dap info [num]

Displays the ROM table for MEM-AP num, defaulting to the currently selected AP.

Command:dap memaccess [value]

Displays the number of extra tck cycles in the JTAG idle to use for MEM-AP memory bus access [0-255], giving additional time to respond to reads. If value is defined, first assigns that.

16.5.2 Cortex-M3 specific commands

Command:cortex_m3 maskisr (â€˜autoâ€™|â€˜onâ€™|â€˜offâ€™)

Control masking (disabling) interrupts during target step/resume.

The â€˜autoâ€™ option handles interrupts during stepping a way they get served but donâ€™t disturb the program flow. The step command first allows pending interrupt handlers to execute, then disables interrupts and steps over the next instruction where the core was halted. After the step interrupts are enabled again. If the interrupt handlers donâ€™t complete within 500ms, the step command leaves with the core running.
Note that a free breakpoint is required for the â€˜autoâ€™ option. If no breakpoint is available at the time of the step, then the step is taken with interrupts enabled, i.e. the same way the â€˜offâ€™ option does.
Default is â€˜autoâ€™.

Parameters request interception of â€˜allâ€™ of these hardware event vectors, â€˜noneâ€™ of them, or one or more of the following: â€˜hard_errâ€™ for a HardFault exception; â€˜mm_errâ€™ for a MemManage exception; â€˜bus_errâ€™ for a BusFault exception; â€˜irq_errâ€™, â€˜state_errâ€™, â€˜chk_errâ€™, or â€˜nocp_errâ€™ for various UsageFault exceptions; or â€˜resetâ€™. If NVIC setup code does not enable them, MemManage, BusFault, and UsageFault exceptions are mapped to HardFault. UsageFault checks for divide-by-zero and unaligned access must also be explicitly enabled.
This finishes by listing the current vector catch configuration.

Using â€˜vectresetâ€™ is a safe option for all current Cortex-M3 cores. This however has the disadvantage of only resetting the core, all peripherals are uneffected. A solution would be to use a reset-init event handler to manually reset the peripherals. See [#Target-Events Target Events].

16.6 Software Debug Messages and Tracing

OpenOCD can process certain requests from target software, when the target uses appropriate libraries. The most powerful mechanism is semihosting, but there is also a lighter weight mechanism using only the DCC channel.

Currently target_request debugmsgs is supported only for â€˜arm7_9â€™ and â€˜cortex_m3â€™ cores. These messages are received as part of target polling, so you need to have poll on active to receive them. They are intrusive in that they will affect program execution times. If that is a problem, see [#ARM-Hardware-Tracing ARM Hardware Tracing].

See â€˜libdccâ€™ in the contrib dir for more details. In addition to sending strings, characters, and arrays of various size integers from the target, â€˜libdccâ€™ also exports a software trace point mechanism. The target being debugged may issue trace messages which include a 24-bit trace point number. Trace point support includes two distinct mechanisms, each supported by a command:

History ... A circular buffer of trace points can be set up, and then displayed at any time. This tracks where code has been, which can be invaluable in finding out how some fault was triggered.

The buffer may overflow, since it collects records continuously. It may be useful to use some of the 24 bits to represent a particular event, and other bits to hold data.

Counting ... An array of counters can be set up, and then displayed at any time. This can help establish code coverage and identify hot spots.

The array of counters is directly indexed by the trace point number, so trace points with higher numbers are not counted.

Linux-ARM kernels have a â€œKernel low-level debugging via EmbeddedICE DCC channelâ€ option (CONFIG_DEBUG_ICEDCC, depends on CONFIG_DEBUG_LL) which uses this mechanism to deliver messages before a serial console can be activated. This is not the same format used by â€˜libdccâ€™. Other software, such as the U-Boot boot loader, sometimes does the same thing.

Displays current handling of target DCC message requests. These messages may be sent to the debugger while the target is running. The optional â€˜enableâ€™ and â€˜charmsgâ€™ parameters both enable the messages, while â€˜disableâ€™ disables them.

With â€˜charmsgâ€™ the DCC words each contain one character, as used by Linux with CONFIG_DEBUG_ICEDCC; otherwise the libdcc format is used.

Command:trace history [â€˜clearâ€™|count]

With no parameter, displays all the trace points that have triggered in the order they triggered. With the parameter â€˜clearâ€™, erases all current trace history records. With a count parameter, allocates space for that many history records.

Command:trace point [â€˜clearâ€™|identifier]

With no parameter, displays all trace point identifiers and how many times they have been triggered. With the parameter â€˜clearâ€™, erases all current trace point counters. With a numeric identifier parameter, creates a new a trace point counter and associates it with that identifier.

Important: The identifier and the trace point number are not related except by this command. These trace point numbers always start at zero (from server startup, or after trace point clear) and count up from there.

17. JTAG Commands

Most general purpose JTAG commands have been presented earlier. (See [#JTAG-Speed JTAG Speed], [#Reset-Configuration Reset Configuration], and [#TAP-Declaration TAP Declaration].) Lower level JTAG commands, as presented here, may be needed to work with targets which require special attention during operations such as reset or initialization.

To use these commands you will need to understand some of the basics of JTAG, including:

A JTAG scan chain consists of a sequence of individual TAP devices such as a CPUs.

Control operations involve moving each TAP through the same standard state machine (in parallel) using their shared TMS and clock signals.

Data transfer involves shifting data through the chain of instruction or data registers of each TAP, writing new register values while the reading previous ones.

Data register sizes are a function of the instruction active in a given TAP, while instruction register sizes are fixed for each TAP. All TAPs support a BYPASS instruction with a single bit data register.

The way OpenOCD differentiates between TAP devices is by shifting different instructions into (and out of) their instruction registers.

17.1 Low Level JTAG Commands

These commands are used by developers who need to access JTAG instruction or data registers, possibly controlling the order of TAP state transitions. If youâ€™re not debugging OpenOCD internals, or bringing up a new JTAG adapter or a new type of TAP device (like a CPU or JTAG router), you probably wonâ€™t need to use these commands. In a debug session that doesnâ€™t use JTAG for its transport protocol, these commands are not available.

Command:drscan tap [numbits value] [â€˜-endstateâ€™ tap_state]

Loads the data register of tap with a series of bit fields that specify the entire register. Each field is numbits bits long with a numeric value (hexadecimal encouraged). The return value holds the original value of each of those fields.

For example, a 38 bit number might be specified as one field of 32 bits then one of 6 bits. For portability, never pass fields which are more than 32 bits long. Many OpenOCD implementations do not support 64-bit (or larger) integer values.
All TAPs other than tap must be in BYPASS mode. The single bit in their data registers does not matter.
When tap_state is specified, the JTAG state machine is left in that state. For example DRPAUSE might be specified, so that more instructions can be issued before re-entering the RUN/IDLE state. If the end state is not specified, the RUN/IDLE state is entered.

Warning: OpenOCD does not record information about data register lengths, so it is important that you get the bit field lengths right. Remember that different JTAG instructions refer to different data registers, which may have different lengths. Moreover, those lengths may not be fixed; the SCAN_N instruction can change the length of the register accessed by the INTEST instruction (by connecting a different scan chain).

Command:flush_count

Returns the number of times the JTAG queue has been flushed. This may be used for performance tuning.

For example, flushing a queue over USB involves a minimum latency, often several milliseconds, which does not change with the amount of data which is written. You may be able to identify performance problems by finding tasks which waste bandwidth by flushing small transfers too often, instead of batching them into larger operations.

Command:irscan [tap instruction] [â€˜-endstateâ€™ tap_state]

For each tap listed, loads the instruction register with its associated numeric instruction. (The number of bits in that instruction may be displayed using the scan_chain command.) For other TAPs, a BYPASS instruction is loaded.

When tap_state is specified, the JTAG state machine is left in that state. For example IRPAUSE might be specified, so the data register can be loaded before re-entering the RUN/IDLE state. If the end state is not specified, the RUN/IDLE state is entered.

Note: OpenOCD currently supports only a single field for instruction register values, unlike data register values. For TAPs where the instruction register length is more than 32 bits, portable scripts currently must issue only BYPASS instructions.

Command:jtag_reset trst srst

Set values of reset signals. The trst and srst parameter values may be â€˜0â€™, indicating that reset is inactive (pulled or driven high), or â€˜1â€™, indicating it is active (pulled or driven low). The reset_config command should already have been used to configure how the board and JTAG adapter treat these two signals, and to say if either signal is even present. See section [#Reset-Configuration Reset Configuration].

Note that TRST is specially handled. It actually signifies JTAGâ€™s RESET state. So if the board doesnâ€™t support the optional TRST signal, or it doesnâ€™t support it along with the specified SRST value, JTAG reset is triggered with TMS and TCK signals instead of the TRST signal. And no matter how that JTAG reset is triggered, once the scan chain enters RESET with TRST inactive, TAP post-reset events are delivered to all TAPs with handlers for that event.

Command:pathmove start_state [next_state ...]

Start by moving to start_state, which must be one of the stable states. Unless it is the only state given, this will often be the current state, so that no TCK transitions are needed. Then, in a series of single state transitions (conforming to the JTAG state machine) shift to each next_state in sequence, one per TCK cycle. The final state must also be stable.

Command:runtestnum_cycles

Move to the RUN/IDLE state, and execute at least num_cycles of the JTAG clock (TCK). Instructions often need some time to execute before they take effect.

Command:verify_ircapture (â€˜enableâ€™|â€˜disableâ€™)

Verify values captured during IRCAPTURE and returned during IR scans. Default is enabled, but this can be overridden by verify_jtag. This flag is ignored when validating JTAG chain configuration.

Command:verify_jtag (â€˜enableâ€™|â€˜disableâ€™)

Enables verification of DR and IR scans, to help detect programming errors. For IR scans, verify_ircapture must also be enabled. Default is enabled.

Note that only six of those states are fully â€œstableâ€ in the face of TMS fixed (low except for RESET) and a free-running JTAG clock. For all the others, the next TCK transition changes to a new state.

From DRSHIFT and IRSHIFT, clock transitions will produce side effects by changing register contents. The values to be latched in upcoming DRUPDATE or IRUPDATE states may not be as expected.

RUN/IDLE, DRPAUSE, and IRPAUSE are reasonable choices after drscan or irscan commands, since they are free of JTAG side effects.

RUN/IDLE may have side effects that appear at non-JTAG levels, such as advancing the ARM9E-S instruction pipeline. Consult the documentation for the TAP(s) you are working with.

18.1 SVF: Serial Vector Format

The Serial Vector Format, better known as SVF, is a way to represent JTAG test patterns in text files. In a debug session using JTAG for its transport protocol, OpenOCD supports running such test files.

Command:svf filename [â€˜quietâ€™]

This issues a JTAG reset (Test-Logic-Reset) and then runs the SVF script from â€˜filenameâ€™. Unless the â€˜quietâ€™ option is specified, each command is logged before it is executed.

18.2 XSVF: Xilinx Serial Vector Format

The Xilinx Serial Vector Format, better known as XSVF, is a binary representation of SVF which is optimized for use with Xilinx devices. In a debug session using JTAG for its transport protocol, OpenOCD supports running such test files.

This issues a JTAG reset (Test-Logic-Reset) and then runs the XSVF script from â€˜filenameâ€™. When a tapname is specified, the commands are directed at that TAP. When â€˜virt2â€™ is specified, the XRUNTEST command counts are interpreted as TCK cycles instead of microseconds. Unless the â€˜quietâ€™ option is specified, messages are logged for comments and some retries.

The OpenOCD sources also include two utility scripts for working with XSVF; they are not currently installed after building the software. You may find them useful:

The input format accepts a handful of non-standard extensions. These include three opcodes corresponding to SVF extensions from Lattice Semiconductor (LCOUNT, LDELAY, LDSR), and two opcodes supporting a more accurate translation of SVF (XTRST, XWAITSTATE). If xsvfdump shows a file is using those opcodes, it probably will not be usable with other XSVF tools.

19. TFTP

If OpenOCD runs on an embedded host(as ZY1000 does), then TFTP can be used to access files on PCs (either the developerâ€™s PC or some other PC).

The way this works on the ZY1000 is to prefix a filename by "/tftp/ip/" and append the TFTP path on the TFTP server (tftpd). For example,

load_image /tftp/10.0.0.96/c:\temp\abc.elf

will load c:\temp\abc.elf from the developer pc (10.0.0.96) into memory as if the file was hosted on the embedded host.

In order to achieve decent performance, you must choose a TFTP server that supports a packet size bigger than the default packet size (512 bytes). There are numerous TFTP servers out there (free and commercial) and you will have to do a bit of googling to find something that fits your requirements.

20. GDB and OpenOCD

OpenOCD complies with the remote gdbserver protocol, and as such can be used to debug remote targets. Setting up GDB to work with OpenOCD can involve several components:

The OpenOCD server support for GDB may need to be configured. See [#GDB-Configuration GDB Configuration].

GDBâ€™s support for OpenOCD may need configuration, as shown in this chapter.

If you have a GUI environment like Eclipse, that also will probably need to be configured.

Of course, the version of GDB you use will need to be one which has been built to know about the target CPU youâ€™re using. Itâ€™s probably part of the tool chain youâ€™re using. For example, if you are doing cross-development for ARM on an x86 PC, instead of using the native x86 gdb command you might use arm-none-eabi-gdb if thatâ€™s the tool chain used to compile your code.

This would cause GDB to connect to the gdbserver on the local pc using port 3333.

A pipe connection is typically started as follows:

target remote | openocd -c "gdb_port pipe; log_output openocd.log"

This would cause GDB to run OpenOCD and communicate using pipes (stdin/stdout). Using this method has the advantage of GDB starting/stopping OpenOCD for the debug session. log_output sends the log output to a file to ensure that the pipe is not saturated when using higher debug level outputs.

To list the available OpenOCD commands type monitor help on the GDB command line.

20.2 Sample GDB session startup

With the remote protocol, GDB sessions start a little differently than they do when youâ€™re debugging locally. Hereâ€™s an examples showing how to start a debug session with a small ARM program. In this case the program was linked to be loaded into SRAM on a Cortex-M3. Most programs would be written into flash (address 0) and run from there.

You could then interrupt the GDB session to make the program break, type where to show the stack, list to show the code around the program counter, step through code, set breakpoints or watchpoints, and so on.

20.3 Configuring GDB for OpenOCD

OpenOCD supports the gdb â€˜qSupportedâ€™ packet, this enables information to be sent by the GDB remote server (i.e. OpenOCD) to GDB. Typical information includes packet size and the deviceâ€™s memory map. You do not need to configure the packet size by hand, and the relevant parts of the memory map should be automatically set up when you declare (NOR) flash banks.

However, there are other things which GDB canâ€™t currently query. You may need to set those up by hand. As OpenOCD starts up, you will often see a line reporting something like:

Rather than typing such commands interactively, you may prefer to save them in a file and have GDB execute them as it starts, perhaps using a â€˜.gdbinitâ€™ in your project directory or starting GDB using gdb -x filename.

20.4 Programming using GDB

By default the target memory map is sent to GDB. This can be disabled by the following OpenOCD configuration option:

gdb_memory_map disable

For this to function correctly a valid flash configuration must also be set in OpenOCD. For faster performance you should also configure a valid working area.

Informing GDB of the memory map of the target will enable GDB to protect any flash areas of the target and use hardware breakpoints by default. This means that the OpenOCD option gdb_breakpoint_override is not required when using a memory map. See [#gdb_005fbreakpoint_005foverride gdb_breakpoint_override].

To view the configured memory map in GDB, use the GDB command â€˜info memâ€™ All other unassigned addresses within GDB are treated as RAM.

GDB 6.8 and higher set any memory area not in the memory map as inaccessible. This can be changed to the old behaviour by using the following GDB command

set mem inaccessible-by-default off

If gdb_flash_program enable is also used, GDB will be able to program any flash memory using the vFlash interface.

GDB will look at the target memory map when a load command is given, if any areas to be programmed lie within the target flash area the vFlash packets will be used.

If the target needs configuring before GDB programming, an event script can be executed:

$_TARGETNAME configure -event EVENTNAME BODY

To verify any flash programming the GDB command â€˜compare-sectionsâ€™ can be used.

22. FAQ

RTCK, also known as: Adaptive Clocking - What is it?

In digital circuit design it is often refered to as â€œclock synchronisationâ€ the JTAG interface uses one clock (TCK or TCLK) operating at some speed, your CPU target is operating at another. The two clocks are not synchronised, they are â€œasynchronousâ€
In order for the two to work together they must be synchronised well enough to work; JTAG canâ€™t go ten times faster than the CPU, for example. There are 2 basic options:

Use a special "adaptive clocking" circuit to change the JTAG clock rate to match what the CPU currently supports.

The JTAG clock must be fixed at some speed thatâ€™s enough slower than the CPU clock that all TMS and TDI transitions can be detected.

Does this really matter? For some chips and some situations, this is a non-issue, like a 500MHz ARM926 with a 5 MHz JTAG link; the CPU has no difficulty keeping up with JTAG. Startup sequences are often problematic though, as are other situations where the CPU clock rate changes (perhaps to save power).
For example, Atmel AT91SAM chips start operation from reset with a 32kHz system clock. Boot firmware may activate the main oscillator and PLL before switching to a faster clock (perhaps that 500 MHz ARM926 scenario). If youâ€™re using JTAG to debug that startup sequence, you must slow the JTAG clock to sometimes 1 to 4kHz. After startup completes, JTAG can use a faster clock.
Consider also debugging a 500MHz ARM926 hand held battery powered device that enters a low power â€œdeep sleepâ€ mode, at 32kHz CPU clock, between keystrokes unless it has work to do. When would that 5 MHz JTAG clock be usable?
Solution #1 - A special circuit
In order to make use of this, your CPU, board, and JTAG adapter must all support the RTCK feature. Not all of them support this; keep reading!
The RTCK ("Return TCK") signal in some ARM chips is used to help with this problem. ARM has a good description of the problem described at this link: http://www.arm.com/support/faqdev/4170.html [checked 28/nov/2008]. Link title: â€œHow does the JTAG synchronisation logic work? / how does adaptive clocking work?â€.
The nice thing about adaptive clocking is that â€œbattery powered hand held device exampleâ€ - the adaptiveness works perfectly all the time. One can set a break point or halt the system in the deep power down code, slow step out until the system speeds up.
Note that adaptive clocking may also need to work at the board level, when a board-level scan chain has multiple chips. Parallel clock voting schemes are good way to implement this, both within and between chips, and can easily be implemented with a CPLD. Itâ€™s not difficult to have logic fan a moduleâ€™s input TCK signal out to each TAP in the scan chain, and then wait until each TAPâ€™s RTCK comes back with the right polarity before changing the output RTCK signal. Texas Instruments makes some clock voting logic available for free (with no support) in VHDL form; see http://tiexpressdsp.com/index.php/Adaptive_ClockingSolution #2 - Always works - but may be slower
Often this is a perfectly acceptable solution.
In most simple terms: Often the JTAG clock must be 1/10 to 1/12 of the target clock speed. But what that â€œmagic divisionâ€ is varies depending on the chips on your board. ARM rule of thumb Most ARM based systems require an 6:1 division; ARM11 cores use an 8:1 division. Xilinx rule of thumb is 1/12 the clock speed.
Note: most full speed FT2232 based JTAG adapters are limited to a maximum of 6MHz. The ones using USB high speed chips (FT2232H) often support faster clock rates (and adaptive clocking).
You can still debug the â€™low powerâ€™ situations - you just need to either use a fixed and very slow JTAG clock rate ... or else manually adjust the clock speed at every step. (Adjusting is painful and tedious, and is not always practical.)
It is however easy to â€œcode your way around itâ€ - i.e.: Cheat a little, have a special debug mode in your application that does a â€œhigh power sleepâ€. If you are careful - 98% of your problems can be debugged this way.
Note that on ARM you may need to avoid using the wait for interrupt operation in your idle loops even if you donâ€™t otherwise change the CPU clock rate. That operation gates the CPU clock, and thus the JTAG clock; which prevents JTAG access. One consequence is not being able to halt cores which are executing that wait for interrupt operation.
To set the JTAG frequency use the command:

# Example: 1.234MHz
adapter_khz 1234

Win32 Pathnames Why donâ€™t backslashes work in Windows paths?

OpenOCD uses Tcl and a backslash is an escape char. Use { and } around Windows filenames.

> echo \a
> echo {\a}
\a
> echo "\a"
>

Missing: cygwin1.dll OpenOCD complains about a missing cygwin1.dll.

Make sure you have Cygwin installed, or at least a version of OpenOCD that claims to come with all the necessary DLLs. When using Cygwin, try launching OpenOCD from the Cygwin shell.

Breakpoint Issue Iâ€™m trying to set a breakpoint using GDB (or a frontend like Insight or Eclipse), but OpenOCD complains that "Info: arm7_9_common.c:213 arm7_9_add_breakpoint(): sw breakpoint requested, but software breakpoints not enabled".

GDB issues software breakpoints when a normal breakpoint is requested, or to implement source-line single-stepping. On ARMv4T systems, like ARM7TDMI, ARM720T or ARM920T, software breakpoints consume one of the two available hardware breakpoints.

Make sure the core frequency specified in the â€˜flash lpc2000â€™ line matches the clock at the time youâ€™re programming the flash. If youâ€™ve specified the crystalâ€™s frequency, make sure the PLL is disabled. If youâ€™ve specified the full core speed (e.g. 60MHz), make sure the PLL is enabled.

Amontec Chameleon When debugging using an Amontec Chameleon in its JTAG Accelerator configuration, I keep getting "Error: amt_jtagaccel.c:184 amt_wait_scan_busy(): amt_jtagaccel timed out while waiting for end of scan, rtck was disabled".

Make sure your PCâ€™s parallel port operates in EPP mode. You might have to try several settings in your PC BIOS (ECP, EPP, and different versions of those).

The errors are non-fatal, and are the result of GDB trying to trace stack frames beyond the last valid frame. It might be possible to prevent this by setting up a proper "initial" stack frame, if you happen to know what exactly has to be done, feel free to add this here.
Simple: In your startup code - push 8 registers of zeros onto the stack before calling main(). What GDB is doing is â€œclimbingâ€ the run time stack by reading various values on the stack using the standard call frame for the target. GDB keeps going - until one of 2 things happen #1 an invalid frame is found, or #2 some huge number of stackframes have been processed. By pushing zeros on the stack, GDB gracefully stops.
Debugging Interrupt Service Routines - In your ISR before you call your C code, do the same - artifically push some zeros onto the stack, remember to pop them off when the ISR is done.
Also note: If you have a multi-threaded operating system, they often do not in the intrest of saving memory waste these few bytes. Painful...

This warning doesnâ€™t indicate any serious problem, as long as you donâ€™t want to debug your core right out of reset. Your .cfg file specified â€˜jtag_reset trst_and_srst srst_pulls_trstâ€™ to tell OpenOCD that either your board, your debugger or your target uC (e.g. LPC2000) canâ€™t assert the two reset signals independently. With this setup, itâ€™s not possible to halt the core right out of reset, everything else should work fine.

USB Power When using OpenOCD in conjunction with Amontec JTAGkey and the Yagarto toolchain (Eclipse, arm-elf-gcc, arm-elf-gdb), the debugging seems to be unstable. When single-stepping over large blocks of code, GDB and OpenOCD quit with an error message. Is there a stability issue with OpenOCD?

No, this is not a stability issue concerning OpenOCD. Most users have solved this issue by simply using a self-powered USB hub, which they connect their Amontec JTAGkey to. Apparently, some computers do not provide a USB power supply stable enough for the Amontec JTAGkey to be operated.
Laptops running on battery have this problem too...

USB Power When using the Amontec JTAGkey, sometimes OpenOCD crashes with the following error messages: "Error: ft2232.c:201 ft2232_read(): FT_Read returned: 4" and "Error: ft2232.c:365 ft2232_send_and_recv(): couldnâ€™t read from FT2232". What does that mean and what might be the reason for this?

First of all, the reason might be the USB power supply. Try using a self-powered hub instead of a direct connection to your computer. Secondly, the error code 4 corresponds to an FT_IO_ERROR, which means that the driver for the FTDI USB chip ran into some sort of error - this points us to a USB problem.

GDB Disconnects When using the Amontec JTAGkey, sometimes OpenOCD crashes with the following error message: "Error: gdb_server.c:101 gdb_get_char(): read: 10054". What does that mean and what might be the reason for this?

Error code 10054 corresponds to WSAECONNRESET, which means that the debugger (GDB) has closed the connection to OpenOCD. This might be a GDB issue.

LPC2000 Flash In the configuration file in the section where flash device configurations are described, there is a parameter for specifying the clock frequency for LPC2000 internal flash devices (e.g. â€˜flash bank $_FLASHNAME lpc2000 0x0 0x40000 0 0 $_TARGETNAME lpc2000_v1 14746 calc_checksumâ€™), which must be specified in kilohertz. However, I do have a quartz crystal of a frequency that contains fractions of kilohertz (e.g. 14,745,600 Hz, i.e. 14,745.600 kHz). Is it possible to specify real numbers for the clock frequency?

No. The clock frequency specified here must be given as an integral number. However, this clock frequency is used by the In-Application-Programming (IAP) routines of the LPC2000 family only, which seems to be very tolerant concerning the given clock frequency, so a slight difference between the specified clock frequency and the actual clock frequency will not cause any trouble.

Command Order Do I have to keep a specific order for the commands in the configuration file?

Well, yes and no. Commands can be given in arbitrary order, yet the devices listed for the JTAG scan chain must be given in the right order (jtag newdevice), with the device closest to the TDO-Pin being listed first. In general, whenever objects of the same type exist which require an index number, then these objects must be given in the right order (jtag newtap, targets and flash banks - a target references a jtag newtap and a flash bank references a target).
You can use the â€œscan_chainâ€ command to verify and display the tap order.
Also, some commands canâ€™t execute until after init has been processed. Such commands include nand probe and everything else that needs to write to controller registers, perhaps for setting up DRAM and loading it with code.

JTAG TAP Order Do I have to declare the TAPS in some particular order?

Yes; whenever you have more than one, you must declare them in the same order used by the hardware.
Many newer devices have multiple JTAG TAPs. For example: ST Microsystems STM32 chips have two TAPs, a â€œboundary scan TAPâ€ and â€œCortex-M3â€ TAP. Example: The STM32 reference manual, Document ID: RM0008, Section 26.5, Figure 259, page 651/681, the â€œTDIâ€ pin is connected to the boundary scan TAP, which then connects to the Cortex-M3 TAP, which then connects to the TDO pin.
Thus, the proper order for the STM32 chip is: (1) The Cortex-M3, then (2) The boundary scan TAP. If your board includes an additional JTAG chip in the scan chain (for example a Xilinx CPLD or FPGA) you could place it before or after the STM32 chip in the chain. For example:

OpenOCD_TDI(output) -> STM32 TDI Pin (BS Input)

STM32 BS TDO (output) -> STM32 Cortex-M3 TDI (input)

STM32 Cortex-M3 TDO (output) -> SM32 TDO Pin

STM32 TDO Pin (output) -> Xilinx TDI Pin (input)

Xilinx TDO Pin -> OpenOCD TDO (input)

The â€œjtag deviceâ€ commands would thus be in the order shown below. Note:

jtag newtap Xilinx tap -irlen ...

jtag newtap stm32 cpu -irlen ...

jtag newtap stm32 bs -irlen ...

# Create the debug target and say where it is

target create stm32.cpu -chain-position stm32.cpu ...

SYSCOMP Sometimes my debugging session terminates with an error. When I look into the log file, I can see these error messages: Error: arm7_9_common.c:561 arm7_9_execute_sys_speed(): timeout waiting for SYSCOMP

23. Tcl Crash Course

Not everyone knows Tcl - this is not intended to be a replacement for learning Tcl, the intent of this chapter is to give you some idea of how the Tcl scripts work.

This chapter is written with two audiences in mind. (1) OpenOCD users who need to understand a bit more of how Jim-Tcl works so they can do something useful, and (2) those that want to add a new command to OpenOCD.

23.2 Tcl Rule #1b

Rule #1: Control flow does not exist. Only commands For example: the classic FOR loop or IF statement is not a control flow item, they are commands, there is no such thing as control flow in Tcl.

Rule #2: If you think otherwise, See Rule #1 Actually what happens is this: There are commands that by convention, act like control flow key words in other languages. One of those commands is the word â€œforâ€, another command is â€œifâ€.

23.4 Tcl Quoting Operators

In life of a Tcl script, there are two important periods of time, the difference is subtle.

Parse Time

Evaluation Time

The two key items here are how â€œquoted thingsâ€ work in Tcl. Tcl has three primary quoting constructs, the [square-brackets] the {curly-braces} and â€œdouble-quotesâ€

By now you should know $VARIABLES always start with a $DOLLAR sign. BTW: To set a variable, you actually use the command â€œsetâ€, as in â€œset VARNAME VALUEâ€ much like the ancient BASIC langauge â€œlet x = 1â€ statement, but without the equal sign.

[square-brackets][square-brackets] are command substitutions. It operates much like Unix Shell â€˜back-ticksâ€˜. The result of a [square-bracket] operation is exactly 1 string. Remember Rule #1 - Everything is a string. These two statements are roughly identical:

â€œdouble-quoted-thingsâ€â€œdouble-quoted-thingsâ€ are just simply quoted text. $VARIABLES and [square-brackets] are expanded in place - the result however is exactly 1 string. Remember Rule #1 - Everything is a string

set x "Dinner"
puts "It is now \"[date]\", $x is in 1 hour"

{Curly-Braces}{Curly-Braces} are magic: $VARIABLES and [square-brackets] are parsed, but are NOT expanded or executed. {Curly-Braces} are like â€™single-quoteâ€™ operators in BASH shell scripts, with the added feature: {curly-braces} can be nested, single quotes can not. {{{this is nested 3 times}}} NOTE: [date] is a bad example; at this writing, Jim/OpenOCD does not have a date command.

When the command â€œprocâ€ is parsed (which creates a procedure function) it gets 3 parameters on the command line. 1 the name of the proc (function), 2 the list of parameters, and 3 the body of the function. Not the choice of words: LIST and BODY. The PROC command stores these items in a table somewhere so it can be found by â€œLookupCommand()â€

23.5.3 The FOR command

The most interesting command to look at is the FOR command. In Tcl, the FOR command is normally implemented in C. Remember, FOR is a command just like any other command.

When the ascii text containing the FOR command is parsed, the parser produces 5 parameter strings, (If in doubt: Refer to Rule #1) they are:

The ascii text â€™forâ€™

The start text

The test expression

The next text

The body text

Sort of reminds you of â€œmain( int argc, char **argv )â€ does it not? Remember Rule #1 - Everything is a string. The key point is this: Often many of those parameters are in {curly-braces} - thus the variables inside are not expanded or replaced until later.

Remember that every Tcl command looks like the classic â€œmain( argc, argv )â€ function in C. In JimTCL - they actually look like this:

23.6.1 source and find commands

The find command is in square brackets, and is executed with the parameter FILENAME. It should find and return the full path to a file with that name; it uses an internal search path. The RESULT is a string, which is substituted into the command line in place of the bracketed find command. (Donâ€™t try to use a FILENAME which includes the "#" character. That character begins Tcl comments.)

The source command is executed with the resulting filename; it reads a file and executes as a script.

The $_TARGETNAME is an OpenOCD variable convention. $_TARGETNAME represents the last target created, the value changes each time a new target is created. Remember the parsing rules. When the ascii text is parsed, the $_TARGETNAME becomes a simple string, the name of the target which happens to be a TARGET (object) command.

The 2nd parameter to the â€˜-eventâ€™ parameter is a TCBODY There are 4 examples:

The TCLBODY is a simple string that happens to be a proc name

The TCLBODY is several simple commands seperated by semicolons

The TCLBODY is a multi-line {curly-brace} quoted string

The TCLBODY is a string with variables that get expanded.

In the end, when the target event FOO occurs the TCLBODY is evaluated. Method #1 and #2 are functionally identical. For Method #3 and #4 it is more interesting. What is the TCLBODY?
Remember the parsing rules. In case #3, {curly-braces} mean the $VARS and [square-brackets] are expanded later, when the EVENT occurs, and the text is evaluated. In case #4, they are replaced before the â€œTarget Object Commandâ€ is executed. This occurs at the same time $_TARGETNAME is replaced. In case #4 the date will never change. {BTW: [date] is a bad example; at this writing, Jim/OpenOCD does not have a date command}

Footnotes

[#DOCF1 (1)]

Note that many systems support a "monitor mode" debug that is a somewhat cleaner way to address such issues. You can think of it as only halting part of the system, maybe just one task, instead of the whole thing. At this writing, January 2010, OpenOCD based debugging does not support monitor mode debug, only "halt mode" debug.

[#DOCF2 (2)]

See chapter 8 "Semihosting" in ARM DUI 0203I, the "RealView Compilation Tools Developer Guide". The CodeSourcery EABI toolchain also includes a semihosting library.

[#DOCF3 (3)]

As a more polite alternative, some processors have special debug-oriented registers which can be used to change various features including how the low power states are clocked while debugging. The STM32 DBGMCU_CR register is an example; at the cost of extra power consumption, JTAG can be used during low power states.